Keylogger whitelisting in LES

Version 1

    Details

    4.4SR7 or higher (server and client) 

    INFORMATION

    When you install the LDC protection on client machines, some HID devices can be detected as KeyLoggers and so blocked by the settings of Device Control ( depending on the machine option set for ‘USB Key Logger’).  Since 4.4SR7 you have the ability to whitelist specific HID's and hence prevent this false positive Keylogger alert
    To see an explanation about false keylogger alerts please see KB 571 Explanation about false keylogger alerts.

    PROCEDURE

    If you would like to whitelist specific devices please follow the method outlined below:

         
    1. Identify the HID of the device that is being logged as a keylogger.  The easiest way to do this is to go to Log Explorer in the Management Console and run a Keylogger report template such as "Keylogger this week". This will show details of the keylogger event including the HID you now wish to whitelist. Be aware that this is case-sensitive. 
    2.    
    3. To implement you use a hidden option (77) that can be controlled by using the sxopt.exe tool provided with the installation software, located the in bin\tools\ folder. This tool should be run on the application server by a user with LES Enterprise Admin rights.

    An example of usage:

    sxopt servername -s 77 "HID\Vid_413c&Pid_2003&Rev_0301,HID\Vid_05f9&Pid_2209&Rev_0175" -ca

    This will whitelist the 2 HID values for all clients.

    Syntax:

    sxopt -g 77 -ca (this shows the current option status)
    sxopt -s 77 -ca (this sets the option to opt_value)
    sxopt -d 77 -ca (this removes/unsets the option and reverts back to default)

    If you would like to whitelist HID's only on specific machines you may do this also with the -c switch followed by the client name, instead of using the -ca switch as above.

    Example:

    sxopt servername -s 77 "HID\Vid_413c&Pid_2003&Rev_0301,HID\Vid_05f9&Pid_2209&Rev_0175" -c MyClientHostName

    NOTE:  Do not enter the FQDN, just the hostname

    Syntax:

    sxopt -g 77 -c MyClientName (this shows the option status for this particular machine)
    sxopt -s 77 -c MyClientName (this sets the option to opt_value for this particular machine)
    sxopt -d 77 -c MyClientName (this removes/unsets the option and reverts back to default for this particular machine)

    After completing this, change any permission in Device Explorer and send out the update (it doesn't matter what you change you can set it back again. This is just to update the sequence number to give the update above to the client(s)).  Once the client has the update it should no longer log a keylogger event for the HID(s) specified.