Distinguish between ENUMERATING a CD/DVD and ACCESSING the drive
Currently (ESEC 2013) registers the same "event" whether a user knowingly access a CD/DVD drive and also when explorer.exe simply opens up "My Computer" to ENUMERATE the drives.
However, by not distinguishing between an enumeration of the CD/DVD and an intentional access of data, ESEC creates many "false positive" alerts that do not help a sysadmin know whether there is a potential security breach or whether a user simply opened the "Save As" dialog box from withing Notepad.
In Windows, "auditing" can be enabled that distinguishes among many different types of "access" such as:
- Traverse Folder
- List Folder
- Read Attributes
- Create Files
- Create Folders
- Read Permissions
- Change Permissions
- (and others)
Therefore, ESEC should also be able to distinguish among these different types of access.
At the very least, add a new category like "CD/DVD Drawer Was Opened/Closed" or else "The CD/DVD Drive Has a Disk In It."
Ironically, the same alert is sent whether the user actually tries to write to a CD/DVD as when Windows enumerates an "empty" CD/DVD drive!
AdminHeather Paunet (Admin, GFI) commented
Is this still an issue to you? If yes, please post your use case.
Casey Green commented
[Comment date: 10/14/14 7:34]
They changed the way it alerts ALL the version from 2012 and earlier have worked as advertised and alerted you to when some unauthorized user accessed the device (CD drive). Now they say it is working like it should well guess what NOT!!! We bought it 5-6 years ago because it alerted us to unauthorized usage not when it enumerated the computer/device. More users need to complain about this issue and mabye they will fix it.