Both access denied and allowed events are logged when accessing PDF

Versions / Builds Affected

EndPointSecurity 2012 build 20120104

Status

Open

Problem Summary

When accessing a PDF from a USB storage device, both access denied and access allowed events are logged.

TT / JIRAID

126

How to Identify

- Adobe Reader is installed - User has full access on USB storage device - When opening a PDF from a usb storage device, the user has access to it but 2 events are logged: 2012-08-13,14:33:46,372,3,"#00000618","#00000818","info ","DevicesController"," "Audit Failure", "Read only access denied"(2001)" 2012-08-13,14:33:46,372,3,"#00000618","#00000818","info ","DevicesController"," Event data: \\ABTEST\Administrator, CHIPSBNK v2.0.33 USB Device, File Path: D:\kbreport_languard9.pdf , Port_#0001.Hub_#0004, Storage Devices, Volume, USB, 1E3D, 2092, C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe, 2420, , 1179785, " and 2012-08-13,14:33:46,372,3,"#00000618","#00000818","info ","DevicesController"," "Audit Success", "Read only access allowed"(2000)" 2012-08-13,14:33:46,372,3,"#00000618","#00000818","info ","DevicesController"," Event data: \\ABTEST\Administrator, CHIPSBNK v2.0.33 USB Device, File Path: D:\kbreport_languard9.pdf , Port_#0001.Hub_#0004, Storage Devices, Volume, USB, 1E3D, 2092, C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe, 2492, , 1179785, "

Workaround / Fix Details

The only workaround (if the customer is getting false positive alerts on these events) is to create a email rule to delete the emails. See the public article entitled: Both access allowed and denied events are created when opening a PDF

Required Actions

1. Give the customer the article above 2. Close the case.\