Endpoint Protection

 View Only
Expand all | Collapse all

SEP11 Application & Device Control problem: USB set to Read Only w/ Write exemptions DOES NOT WORK

  • 1.  SEP11 Application & Device Control problem: USB set to Read Only w/ Write exemptions DOES NOT WORK

    Posted Mar 04, 2011 10:55 AM

    Hi there.

    This is causing me a major headache. I have a call logged with Symantec and they are not getting very far with this either (ref. 414112147). I have 1500 clients that urgently require this functionality.

    - USB devices must be set to read only.

    - With certain devices exceptions set to allow write using the VID/PID combination with wildcards.

    It's really that simple.

    I am aware of how to edit the Hardware Devices though Policy Components. I am using DevViewer to take the following and amend with the wildcard (yes I have tried without the wildcard also):

    USB\VID_090C&PID_1000\*

    I am also aware that the App & Dev Control component must be installed on the endpoint client - it is. It is also 32bit Win XP SP3 (so fully compatible).

    When editing the default "Make all removable drives read-only" rule in the Application Control element of the policy (all I need to do is add my exclusion to the "Do not apply to the following files and folders" rule section under the "Block writing to all files and folders" condition), the device is not exempted. Write access is blocked along with all other non-exempted devices which contradicts what I have set.

    I am able to make this work with the Device Control section of the policy. But I do not have options here to make the devices read only, only block all USB which I do not want to do.

    Different devices with different PID/PID combinations have the same effect. My VID/PIDs are correct.

    I can see the policy serial number in SEPM and the endpoint (they match).

    Versions are SEPM 11.0.6005.562 / endpoint 11.0.6200.754 (so the endpoint is more up to date).

    Can anybody assist?



  • 2.  RE: SEP11 Application & Device Control problem: USB set to Read Only w/ Write exemptions DOES NOT WORK

    Posted Mar 04, 2011 11:10 AM

    this not working

     

    How to make USB drives read-only with Symantec Endpoint Protection using Application and Device Control

     

    http://www.symantec.com/connect/forums/need-info-about-structure-symantec-quarantine-files-vbn



  • 3.  RE: SEP11 Application & Device Control problem: USB set to Read Only w/ Write exemptions DOES NOT WORK

    Posted Mar 04, 2011 11:46 AM

    You also need to ensure that you have PTP and NTP installed.

    You can attach a copy of your testing policy to this thread and we can take a look to see if there are any discrepencies.



  • 4.  RE: SEP11 Application & Device Control problem: USB set to Read Only w/ Write exemptions DOES NOT WORK

    Trusted Advisor
    Posted Mar 04, 2011 12:15 PM

    Hello Rafeeq,

    I believe you wanted to pinpoint on the Symantec KB articles as below:

    How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.

    http://www.symantec.com/business/support/index?page=content&id=TECH138570&actp=search&viewlocale=en_US&searchid=1299258802261

    How to make USB drives read-only with Symantec Endpoint Protection using Application and Device Control

    http://www.symantec.com/business/support/index?page=content&id=TECH95813&actp=search&viewlocale=en_US&searchid=1299258802261

     



  • 5.  RE: SEP11 Application & Device Control problem: USB set to Read Only w/ Write exemptions DOES NOT WORK

    Posted Mar 07, 2011 07:00 AM

    @KurtG

    The only element of SEP that is not installed on the endpoint is AV Email Protection.  Both NTP and PTP are installed along with the App and Dev Control feature.  So this is not my issue.

    @Mithun

    TECH95813 only mentions making devices Read Only.  It does not discuss adding exampt devices.

    TECH138570 is more promising as section E) describes EXACTLY what I want to do and also what I have done.  It does not work.

    I will attach a copy of the policy soon but it is no different to what section E) mentions above.

    Symantec have just advised me that:

    "As deny always take precedence over allow the policy will not work. In order to achieve the goal we have to take a different approach of implementation/configuration of SEP client."

    So it is not possible to configure this.  Instead I have been told to re-implement SEP in user mode and when users require write access to USB sticks move them into an "admin" group that allows them full access!  I certainly won't be following this advice any time soon as it sounds like a administration nightmare.

    BUT...

    If deny takes precendence over allow, then why does it work when I set up the policy in Device Control mode to block all but allow some (which is no good, remember I want to make devices read only not be totally blocked)?  I assume this is the difference between hardware level protection and application level (like NTFS permissions)?

    Very disappointing.



  • 6.  RE: SEP11 Application & Device Control problem: USB set to Read Only w/ Write exemptions DOES NOT WORK

    Posted Mar 07, 2011 03:04 PM

    1.) Add the USB you want to allow WRITE access to your Hardware Device List
     (Policies - Policy Components - Hardware Devices - Add Hardware Device)

    2.) For the policy - Under application Control check
     make all removable drives read-only
        Then Block writing to removable media
                Block writing to all files and folders
                      For Actions - Your Read Attempt continues processing,
                      Create, Delete, or Write will be Blocked

    3.) Under Device Control- Add the USB you added in Step 1 to the Devices Excluded from Blockin



  • 7.  RE: SEP11 Application & Device Control problem: USB set to Read Only w/ Write exemptions DOES NOT WORK

    Posted Mar 07, 2011 03:29 PM
      |   view attached

    Under Application Control - Make All removeable drives read-only - Block writing to removable media (as well as Block writing to all files and folders)

    add your writeable USB to "Do Not Apply this rule to the following processes".  screenshot attached:

     



  • 8.  RE: SEP11 Application & Device Control problem: USB set to Read Only w/ Write exemptions DOES NOT WORK

    Posted Mar 08, 2011 08:42 AM

    @justscott

    Thanks but that is exactly what I am doing.

    In theory this is correct, but can anybody actually confirm it is working?  Because I can't (and nor can Symantec!).



  • 9.  RE: SEP11 Application & Device Control problem: USB set to Read Only w/ Write exemptions DOES NOT WORK

    Posted Mar 08, 2011 09:09 AM

    and it's working.  2 additional differences that I have in place that  TECH138570 does not state (or recommend) are that I DO combine both application and device settings by placing my exception USB in excluded devices under device control.  Secondly, I add exception to my USB under Application control under both the Rule and Conditions: Block writing to removable media and the condition Block writing to all files and folders.

    Could you attach screenshots?  I'll put together my policy



  • 10.  RE: SEP11 Application & Device Control problem: USB set to Read Only w/ Write exemptions DOES NOT WORK

    Posted Mar 23, 2011 05:02 AM

    Hi,

    I want to block all USB drives but wanted to permit read only access ,but to implement same, i am facing difficulties.

    These are my Scenarios

    1. Block all USB Flash Drive,HDD drive but wanted to permit read only access to folders & files

    2. There are different kind of USB Data cards,like TATA Photon+, Reliance etc. available in market,if i  block USB drive(device id:36fc9e60-c465-11cf-8056-444553540000),then it stop responding,so please help me to apply what kind of policy.

    3. Also wanted to block writing to mobile phone USB drives also.

    Can anyone help me on this.

    Thanks,

    Partha



  • 11.  RE: SEP11 Application & Device Control problem: USB set to Read Only w/ Write exemptions DOES NOT WORK

    Posted Mar 23, 2011 06:11 AM

    Just wanted to say that I have not had a chance to do this again just yet (Sym advised I try this, it didn't work for me).  But I will prepare screens if you standby.  Sorry for delay.