Endpoint Protection

 View Only

How to Block unwanted Memory Cards 

Feb 19, 2012 05:56 AM

 

How to block Unwanted memory Cards

In many organizations using USB Stick is allowed as it is their business requirement. However by allowing USB Disk Storage you are allowing lot of Unwanted things too for example users connecting their mobile phones, Cameras, IPods and other Music Player devices to their production environment.

This can be a worry in regards to Data leakage or since these memory card are not protected so  Threats and Malwares entering using this route is also very common.

So our target should be to allow USB Sticks but block these memory cards.

This can be achieved in two steps:

1.       Log these devices using Application Control of SEP; analyze the ones which are not required.

2.       Block the Unwanted memory Cards using Device Control of SEP.

 

1.       i.) Monitor all the Device IDs for USB DISKs centrally from SEPM

Create a new rule set called Registry Disk Drive Monitor

Create a Registry Access Attempt rule for the following keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\DISK\*


For each of these key set the following actions:

Read Attempt- Continue Processing other Rule, Enable Logging and No Notification

Write, Create and Delete Attempt- Continue Processing other Rule, Enable Logging and No Notification

 

ii) Once the rule is enabled, then daily or weekly review the log files.

Go to SEPM- Monitors – Logs

Log Type: Application and Device Control

Log Content: Application Control

When reviewing the Logs we need to keep this Image as reference to identify what the Device ID is used for:

 

Application control

 

Eg: USBSTORUSBSTOR&DISK&VEN_SONYERIC&PROD__MOBILE_STORAGE&REV1.0….

USBSTORUSBSTOR&DISK&VEN_HTC&PROD_ANDROID_PHONE&REV….

USBSTOR/DISK&VEN_RIM&PROD_BLACKBERRY&REV….

 

2.       Once you have reviewed the devices removed USB and Allowed Devices and are ready with devices to block

Then go to SEPM –Policies- Policy Components- Hardware Devices and ADD the devices you want to block.

Then Edit the Device Control Policy and block the Device ID you have added to hardware devices List.

Statistics
0 Favorited
2 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Nov 03, 2015 05:17 AM

you may run symentec check on our memory it might have been infected with shortcut virus i did face this issue in past but after running virus check it remove shortcut virus from memory card or may try this remove write protection from sd card

Feb 27, 2012 03:08 AM

Hi Vikram,

Thanx for the share!!

Does this works for Laptop Memory card slots also???

Feb 27, 2012 02:23 AM

@Pkh -- I agree but this requirement came for one of my customer..If you have an alternate idea let me know..I went for the hard way..coz anyways i don't have to check and block. but yeah it works..

Feb 26, 2012 02:37 AM

Using this method to block devices is like King Canute trying to hold back the tide.  You got to block individual devices.  Unless you have a lot of time to spare, this method is not practical.  As soon as you block one device, there will be another.

Feb 25, 2012 05:21 AM

Good stufff

Feb 21, 2012 09:10 PM

Best part is- it seems to be not a out of box feature. It's a good work of using application control and device control together to achieve this!

Feb 21, 2012 03:10 PM

good stuff!

Related Entries and Links

No Related Resource entered.