I know it's possible to spoof or update the HID, PID, and VID of a USB device to make it appear like a standard keyboard or mouse. But I'm curious—can organizations still detect a GLKVM device even after doing this? Has anyone successfully used GLKVM in a setup that went undetected?
I suggest you simply disable virtual media to prevent the emulation of USB drives and CDROMs on the controlled computer. I suspect most IT software wouldn't flag a brand they don't recognize.
It looks like GLKVM is now a recognized brand in some enterprise environments. An infosec alert was triggered in an org (possibly using Carbon Black), and their security team specifically reached out asking if "GLKVM" is hooked up to the machine. That level of specificity was honestly surprising. Version used is 1.3.1 release 2
As you mentioned, disabling virtual media is a good step. I also updated the /etc/kvmd/override.yaml file to restrict USB gadget mode to HID-only (keyboard/mouse).
If both these steps are done, would that fully remove any GLKVM trace from being detected by endpoint security tools?
Just wondering if there are any other identifiers still exposed even with these changes.
I also suggest you rename the USB identity and switch to a third-party EDID. These features have already been implemented in the WEBUI of version 1.4.0 beta1. You can give it a try.
Did you try the EDID changes in the beta? Was the KVM still identified?