Device policy for USB - NT AUTHORITY\SYSTEM (Initiator)

[kasperskyfan]

I have latest KSC 14.2, and device policy for USB. 
Problem is when I allow user to use USB, I receive notification "Event "Operation with the device prohibited" has occurred on device", but for "User: NT AUTHORITY\SYSTEM (Initiator)". I have a lot of these notification.

Is this normal behavior and what is the best practice?

[Шанелька]

I am also interested in this problem.

Event Type: Device operation prohibited
Device category: Device
Device type/Tire type: Removable rims
Device ID: SCSI\DISK&**********PORTABLE_SSD_T5\8&********7&0&00******
Device VID/PID: DISK&VEN_SAMSUNG&PROD_PO
User: NT AUTHORITY\SYSTEM (Initiator)
Result\Decision: Deny
Result\Operation: Read

In this case, the external drive is fully accessible, you can create and delete folders and files.

 

[kasperskyfan]

Can anyone else confirm this results with Device Control policy?

[ElvinE5]

Yes, this is a normal situation... When I first encountered something like this, I tortured the support with questions.

Basically, you only allowed access to the user, but not to the system...

that's why you receive this notification add this user NT AUTHORITY\SYSTEM to the rule that you created for your user... so that it does not bother you anymore.

[kasperskyfan]

On 4/15/2024 at 5:16 PM, ElvinE5 said:

Yes, this is a normal situation... When I first encountered something like this, I tortured the support with questions.

Basically, you only allowed access to the user, but not to the system...

that's why you receive this notification add this user NT AUTHORITY\SYSTEM to the rule that you created for your user... so that it does not bother you anymore.

To give Read permissions to NT AUTHORITY\SYSTEM it looks like huge security risk.