Endpoint Protection

HI support,

My application and device control policy can prevent user to run the applications from Thumb drive as well as the .exe running. But why it does not prevent the users to run the applciations and exe from USB hard disk? Under the application and device control policy, the policy is set to USB drives already.

Please kindly advise on this ASAP. Thanks.

Regards,
Boon Hong

could be it is considered under the storage!!

can you check by knowing its device id and adding the rule

Find out it`s class ID using deviewer and add it in blocked list....

Try by adding USB devices in Block List and add Human interface as exception and check.

Hi Support,

Your solution is too brief to me. USB external hardisk is considered USB devices already, so i should not use the storage. There is no storage selection under the policy setting. Please provide me a better suggestion.

Regards,
Boon

run devviewer while the USB drive connected and check the class id, what does it list?

Can you give us a screen shot of the policy?

Hi,

As said by Arvind and Pete,you need to check the device ID and then you need to create a new policy to add those device ID to block the external drives if any.

Rgrds,

SAM

Hello,

As I understood you want to block exe or applciations from flash disks.

can you try these steps please?

create a new application or device policy (or modify if you want) 

Enabled and edit "Block Applications from running" and choice "block these applications" from left side and add your applciations in rigth side. edit your applications and choice only these drives as picture below.

Best Regards.

Fatih

Hi,

All you need to do is to use a single generic USB device expression for everything.

- Edit the rule that blocks exe files from thumb drives

- Uncheck the box : "Only match processes running from the following drive types"

- Check the box below : "Only match processes running on the following device id type" and input " USBSTOR* " (without quotation " marks) exactly in to the box.

- Save the rule

- Make sure SEP has updated its policy and retry.

All kinds of USB storage's device ID start with USBSTOR and then some other info ..................

On the other hand pre-defined device types works as per how windows recognizes those drives.

Hi Support,

I have attached the print screen for the USB policy, hope you can help me after this. I would like to summarize again, my existing Block USB Device Policy is working. I can block users to run applications from USB Thumb drive or Flash drive, but I cannot block users with USB External HDD.

I have used the Deviewer to copy the specific USB External HDD ID and created another policy, but it still cannot control the USB External HDD. Please advise.

REgrds,
Boon Hong

Attachment(s)

usb policy print screen.doc   241 KB 1 version

Uncheck "only match processes running from the following drive types".

You can keep "only match process running on the following device type" as checked

Please try my suggestion above. Otherwise you will have to collect all USB hard drives' device IDs. And it will not be managable.

Besides, the syntax you're usingfor Device ID is wrong. You should include the plain Device ID from the DevViewer apart from the { } symbols.

And the device you are blocking may not help, you should look under Disk drives. But as I said, my suggestion above will prevent all of this burden...

I agree with what Fatih said:

Application and device control > Application Control >

You may want to add a new Rule Set...

Just use the *.exe for wildcard matching in processes and file access and set it to block. And check all except for local and possibly network drives - if your company uses that. They may still be able to copy the file and execute it as local.

What is the client operating system?

Windows XP (32 or 64), Vista (32 or 64), Windows 7 (32 or 64)?

MAC OS?

Whether your problem got solved?

Make sure the client is 32 bit and all components of sep are installed.

Hello

chuaboonhong

Pls, find the Attached PrintScreens to Create Application & Device Control Policy. Pls, follow the Screen Shots Step by Step from 1 to 10 (don't miss a single step)

i hope this will help you.

Thanks & Regards.

Hemant Koli.

Attachment(s)

Application Device Control.zip   546 KB 1 version

Hello Fatih Teke

You have to select Local Fixed Drives also, As USB Hard Disks are detected as Local Hard Drives.

No, I don't agree with this. This may affect regular local drives so regular processes.

You really need to work out the deviceID that will work for your specific policy and environment.

Please refer to the following web sitefor a decent explanation of USBSTOR deviceid types

http://www.osronline.com/ddkx/install/idstrings_4n6v.htm

You also need to work out how specific you want your policy to be.

Do you want to block all applications? Or just executables?

Do you want to block all USB devices? flash drives, usb hard drives, iphones/ipods, black berrys, cameras?

You have to put some thought into the exact deviceID blocks you want to put into the policy.

You can just use a wildcard like USBSTOR\* to block all USB storage or you can be more specific and only block particular brands etc. You will have to work it out by plugging the devices in, then using deviewer and referring to the above website to word out the exact string you require.

Adding external USB drives to the Hardware Devices list

1. Open the Symantec Endpoint Protection Manager
2. Click on Policies
3. Expand Policy Components
4. Click on Hardware Devices
5. Click Add a Hardware Device...
6. In the field Device Name: usbstorage Note: This can be anything
7. Choose Device ID: USBSTOR\* (Note: This must be all capital letters and must be spelled correctly)
8. Click OK

You will need to then create a blocking policy and use this new hardware device policy component.

Then test to see if it works as you expected.

Hello Chuaboon,

Please follow the steps and let us know the status.

1.  In the Application Control Rule sets, Select 'Block Programs from running from removable drives'

2.  Highlight the rule set and edit this rule Set

3.  Right click on 'Rule 1' and add a condition 'File and Folder Access Attempts'

4.  In the right pane, under 'Apply this rule to the following processes' click on 'Add'

5.  Type *.exe in the 'File or Folder Name to Match' field

6.  Select 'Only match files on the following Drive types' and unselect everything except 'Removable Drive'

7.  Also Select 'Only match files on the following device id type' then Copy and paste the device id here

a.  USB\VID_1058&PID_0704\575845583038553736333831   (This is your exact device id)

8.  Click 'OK'

9.  In the Actions tab, select 'Block Access' for Read Attempt

10. Select 'Block Access' for Create, Delete, or Write Attempt and then Click 'OK'

11. Make sure that the policy has been enabled before you assign it to a group

12. If this is the first time you must reboot the machine to enable the Application and Device Control Driver

See Below link. or Find the attached file it must be helpful

http://www.symantec.com/business/support/index?page=content&id=TECH138570&actp=search&viewlocale=en_US&searchid=1290005872532

Attachment(s)

Configuring_Application_Control_1.1.pdf   652 KB 1 version

Following up on Raja Mohammed's advise,

"a.  USB\VID_1058&PID_0704\575845583038553736333831 "  (This is your exact device id)

I believe when you say, an external USB drive, it is an external Harddisk and not a flash device.

This needs to have the appropriate class of Device ID, in this instance, USB storage.

Adding external USB drives to the Hardware Devices list

· Click the radio button next to Device ID:
· Type the following in the Device ID: field: USBSTOR\* ... Note: This must be all capitol letters and must be spelled correctly
· The radio button next to Use wildcard matching(* and ? supported) should be checked
· Check the box next to Only match files on the following device id type
 

Important Note:
===========

· Reboot clients after they have received the policy for the changes to take effect  . ..

I went to Application and Device Control, Edited an existing policy.  I went under the Application Control and checked the box marked "Block programs from running from removable drives".  I made sure that it was applied to the correct group i was trying to apply this to and it worked.  Hope this helps.

Randy