7 Replies Latest reply on Jun 28, 2016 1:05 AM by rapthomas

    IronKey

    duberyy_wotsit Apprentice
      Has anyone dealt with IronKey USB drives?  I can only get them to work using a hash.  File matching even on ironkey.exe with no metadata doesn't work.  The IronKey presents itself as a CD-Rom drive so I guess it is related to that.  The .exe's related to ironkey will work if copied locally.

      I don't really want to add any hash rules to the "domain users" group as that will mean every file from that point on will need hashing before execution...
        • 1. Re: IronKey
          Roger1 Apprentice
          We use IronKeys but we use a different tool for whitelisting instead of AppSense.  However, I use signatures in AM for a good number applications that require elevation without any impact to performance.  That said, it is a good idea to not go overboard on the hashes/signatures due to potential performance issues. 

          Trusted Ownership is determined by reading the NTFS permissions of each file which attempts to run.  AM blocks any file where the ownership cannot be established, such as files located on non-NTFS drives, removable storage devices, or network location.  Digital Hashing (Signatures) is required on locations that don't use NTFS.
          • 2. Re: IronKey
            Landon Winburn ITSMMVPGroup
            So do you get a deny message even though the exe is whitelisted? Removable media is denied by default. If you look at your 9000 event you should have the details of the deny and then you can go from there. You may need to pull some Rule Analyzer logs to find out why your being denied.
            • 3. Re: IronKey
              duberyy_wotsit Apprentice

              Landon wrote:

               

              So do you get a deny message even though the exe is whitelisted? Removable media is denied by default. If you look at your 9000 event you should have the details of the deny and then you can go from there. You may need to pull some Rule Analyzer logs to find out why your being denied.



              Had a look at the rules analyser and it gets denied because of removable media rules, which it then states can only be allowed via digital signature rules.

              Best practice has told me not to add digital signature rules to the Everyone or "Domain Users" groups as from that point on every execution will need the file to be hashed.

              Are USB drives counted as removable media?  The Ironkey presents as a CD-Rom so it gets classified that way...
              • 4. Re: IronKey
                duberyy_wotsit Apprentice

                Roger wrote:

                 

                We use IronKeys but we use a different tool for whitelisting instead of AppSense.  However, I use signatures in AM for a good number applications that require elevation without any impact to performance.  That said, it is a good idea to not go overboard on the hashes/signatures due to potential performance issues. 



                If you do introduce a hashing rule does it also use filename before it performs the hash?  Or by adding a single hashed file is it going to have to hash everything from that point on in order to do the compare?  I see the extra setting of EnableSignatureOptimization but this needs a path which I cannot provide for IronKey as the drive letter may change (could just include a load in the config I suppose).
                • 5. Re: IronKey
                  Roger1 Apprentice

                  If you do introduce a hashing rule does it also use filename before it performs the hash? Or by adding a single hashed file is it going to have to hash everything from that point on in order to do the compare? I see the extra setting of EnableSignatureOptimization but this needs a path which I cannot provide for IronKey as the drive letter may change (could just include a load in the config I suppose).


                  Landon or someone with more experience may need to step in and correct any gross mis-advice I provide but I will attempt to explain from my viewpoint. 

                  • My testing with URM hashing reveals that changing the name of a file has no bearing on the execution of a hashed file.  I assume this would apply to Accessible Items as well.  I’d recommend testing to verify. 

                  • I had to read your question a few times for it to sink in.  Are you saying, once you add a digital signature for an item, is every file executed on a box with that particular AM config checked against the included signature?  I think that would be yes but someone else will need to verify. 

                  • Unsure on the EnableSignatureOptimization. 
                  I’m curious if there is a soft-limit recommendation per device type for using hashes.  I currently have 73 hashed items applied to our workstation environment with no noticeable lag.  Again, we are only using URM - not AAC as in your case.  And this is in conjunction with a 3rd party white-listing tool that uses hashing extensively.
                  • 6. Re: IronKey
                    duberyy_wotsit Apprentice

                    Roger wrote:

                     

                    Landon or someone with more experience may need to step in and correct any gross mis-advice I provide but I will attempt to explain from my viewpoint. 

                    • My testing with URM hashing reveals that changing the name of a file has no bearing on the execution of a hashed file.  I assume this would apply to Accessible Items as well.  I’d recommend testing to verify. 

                    • I had to read your question a few times for it to sink in.  Are you saying, once you add a digital signature for an item, is every file executed on a box with that particular AM config checked against the included signature?  I think that would be yes but someone else will need to verify. 

                    • Unsure on the EnableSignatureOptimization. 
                    I’m curious if there is a soft-limit recommendation per device type for using hashes.  I currently have 73 hashed items applied to our workstation environment with no noticeable lag.  Again, we are only using URM - not AAC as in your case.  And this is in conjunction with a 3rd party white-listing tool that uses hashing extensively.


                    I've read up on it and EnableSignatureOptimization required the hash and also the path to match, if you enable this then it does prevent every file from being hashed.  Can't really be used for USB devices though as the path can change because you can't guarantee what drive letter the USB device will get.

                    We found across our environment that the hashing did have measurable impact in some areas.  Try using measure-command in powershell to launch some apps and see what impact it has.

                    The best practice doc from August 2015 says:

                    Digital signatures is a process whereby a SHA1, SHA256 or Adler32 hash is made of a file effectively guaranteeing the files integrity.

                    • The result is that each time the file is changed the signature will change which increases the complexity associated with managing and maintaining the environment
                    • Avoid implementing signature items unless absolutely necessary and where necessary ensure;
                    • The item is applied to a restrictive rule, e.g. a specific device, user group or process rule
                    • Where possible, the EnableSignatureOptimization setting is enabled (Not possible for USB media)
                    • 7. Re: IronKey
                      rapthomas Rookie
                      Thought I'd post my experience getting ironkey to work.
                      The main thing I did was include a process exception (set to restricted) for it. I added signatures for the x:\ironkey.exe files (couple of different versions) and also the IKUpdater.exe. Under accessible items I added *.exe and *.dll - the exe tends to call the malware scanner exes (which change regularly) and firefox portable executables.
                      I've also included in the general policy allow to execute signatures for the other dlls and exes from the cdrom, not sure if they really need to be there or not (need more testing). Would prefer to ditch them if the process rule lets everything run.