Endpoint Protection

 View Only
  • 1.  Block USB Drives

    Posted Jun 25, 2012 01:27 PM

    This should be a lot easier than I am making it.

     

    I am trying to block all removeable USB drives except one. I've created an Application and Device Control policy and under the Device Control area I added "Disk Drives" to the Blocked Devices list.

     

    Under the Devices to Exclude From Blocking I added the Device ID (WPDBUSENUMROOT\UMB\2&37C186B&3&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_SDG&PROD_005M&REV_1.00#12345678900000001890&0#) of the particular USB Drive I want to allow. I assigned the policy to a group, moved a test machine into it, and it successfully blocks all the USB Drives I plug in, INCLUDING the drive listed in the "Exclude From Blocking" list.

     

    I'm using SEP 12.1 RU1 and any help you can offer as to how to allow the device to work would be greatly appreciated.



  • 2.  RE: Block USB Drives

    Broadcom Employee
    Posted Jun 25, 2012 01:32 PM

    has the client taking the policy assigned for this group?

     



  • 3.  RE: Block USB Drives

    Posted Jun 25, 2012 01:34 PM

    Yes, the two clients I have moved into the test group both have the latest policy. The Policy is actually blocking all the USB Drives I plug in to the systems, I just need to get it to exclude the one USB drive I've listed in the Exclude From Blocking List.



  • 4.  RE: Block USB Drives

    Broadcom Employee
    Posted Jun 25, 2012 01:40 PM

    the usb you plugging in , does that show same device id?

    How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.

    http://bit.ly/uTVdha

    http://www.symantec.com/docs/TECH104299



  • 5.  RE: Block USB Drives

    Posted Jun 25, 2012 01:49 PM

    I pulled the Device ID for the drive I am trying to exclude from Blocking from the DevViewer application. Like I've stated, the blocking part works fine, I need it to exclude a particular device based on it's Device ID, but that's the part that isn't happening.



  • 6.  RE: Block USB Drives

    Broadcom Employee
    Posted Jun 25, 2012 03:02 PM

    Hi,

    How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection

    http://www.symantec.com/business/support/index?page=content&id=TECH106304&locale=en_US



  • 7.  RE: Block USB Drives

    Trusted Advisor
    Posted Jun 26, 2012 04:12 AM

    Hello,

    Check this Article:

    How to Block or Allow Devices in Symantec Endpoint Protection

    http://www.symantec.com/docs/TECH175220

    Hope that helps!!



  • 8.  RE: Block USB Drives
    Best Answer

    Posted Jun 26, 2012 06:38 AM

    Thank you to everyone that responded, I appreciate all you've done to try and help, but I think I've been communicating what my problem is incorrectly. I have it semi-resolved, but I'll explain again to try and clear things up.

     

    My organization would like to block all USB thumb drives except for a specific type. I began this process by creating a test group and a new policy. The policy blocked all Device ID "USBSTOR&DISK*" type devices. This worked fine, as none of the USB drives I inserted into the computer in the test group would enable.

     

    Next I went back into the policy to allow the specific type of drive, in this case an encrypted USB drive. I put the exception into the policy as "USBSTOR&DISK&VEN_SDG&PROD_005M&REV_1.00&12345678900000001890&0". I did not initially realize that the last part (12345678900000001890&0) was in fact a serial number. Even though I specifically told the system to allow that single USB drive to work, I could not get it to enable in the systems in the test group.

     

    I then went back and altered what I was excluding from the block down to "USBSTOR&DISK&VEN_SDG&PROD_005M&REV_1.00*" hoping that would allow the thumb drives from Vendor SDG with a product ID of 005M and Revision 1.00 to be excluded from the block policy. It did not work. All the drives of that type were still blocked.

     

    Lastly I took the exclude drive all the way down to "USBSTOR&DISK&VEN_SDG*" and that has allowed the drives to show up. My concern now is that any drive from the Vendor SDG will work in these systems, and not just the specific Product 005M.

     

    Has anyone else run in to a similar issue where the exclude list will not work until you drop the excluded from policy item all the way down to the manufacturer?