just setup space maybe?
Second, is there a way to change the display name? it currently shows ROG PG248Q Display.
change edid
Third, if the traffic is from KVM to cloud server and not flowing through the company network, how would it get detected by the company ?
You use the company network to access the internet, and all traffic is inevitably monitored by the company.
space worked. Thanks. I couldn’t change the display name though. Not sure how to change it. I found the display I want to use
Sony | SNY5203 | DELL U2515H | 1920x1080 | 24.9 | 2013 | [C320328B1632](<Digital/Sony/SNY5203/C320328B1632>
What value should go in custom EDID?
If the KVM is connected to the work laptop on a LAN home internet, and i’m connected to the company network VPN, is the traffic still visible on the company network? Is there a way to isolate? If not, what other solutions are available?
I connected my Comet 1 to a work laptop, within 10 minutes I got the call from the security team and escalation that I had violated policy. Seriously it was that quick.
wow thats crazy. Did you change all the configurations such as device name, vendor id etc before hooking up? Does your work laptop have agents installed such as zscalar, jamf, forticlient etc?
I didn’t change anything because, quite frankly I didn’t know. It was a bank/financial with security like I’ve never seen. Yeah they had local agents, not sure which, doesn’t everything these days.
disable virtual media first! if you connect KVM to any company pc . It’s like connect an thumbdrive to your pc , which will inevitably trigger an alert from the security software.
Understood. Thats probably one of the reasons it was detected easily. Not to say after changing all of the settings it wont be detected.
@minmie any solution to avoid the network getting detected? What would it show like? Do you have any screenshots and stuff?
It's hard to say, as I'm not a developer of IT software. It's difficult to determine what criteria they use for detection. Theoretically, network detection isn't that easy to implement or achieve accurately. Possible solutions (without considering targeting a specific brand or model for tailored detection) include:
No surprise all the endpoint agents have signatures to look for keywords or certain hardware. This is all automated and will fire off an alert when the agents detect something like that
Thanks for the advice about configuring the Comet.
Just as an FYI.
When the bank security team called me they told me they detected a KVM device connected to the laptop USB port.
So they knew it was a KVM and not just a USB drive.
After changing the KVM device identity to a logitech keyboard, could end point softwares still detect at a deeper layer based on the chip signatures that it is a KVM device?
I believe it is most likely you didn't disable the USB drive, and the USB drive name shows up as GLKVM. Since the name itself contains "KVM," to be more sure, the IT guy(s) could Google the name and figure out it is more than just a USB drive.
well... Think about this for a second.
What would trigger a heuristic?
And can one track this heuristic, then the awnser is yes.
If I'm very honest to you, they can know about anything when it is connected to usb or any hotplugged device, often they disable usb ports too to combat the misuse so that not accidentally ransomware on a usb stick gets delivered.
But to go back at heuristics, it is weird to find two seperated keyboards in device manager, and this also counts for screens.
So this KVM can be 100% detected but it will not be if you work at home, on a personal laptop for example, but it will be if the laptop is from company they wil have something installed what looks into those events, they call it agent software.
On a physical network they can also look to heuristics, for them it can be really easy to scope out a foreign device on a network with often the exact same brand of pcs or pxe network booted pcs, one heuristic could be easily the contact with time servers, they can detect clouds, lookup to the devices OUI vendor and a good network admin may even manually interfere by creating a pcap and learning about this unusual traffic.
Bad ones, too. I had an IT guy rate-limit a webcam we were using to run a test with a foreign customer because he noted the weird network behavior. Nearly lost us the contract!
