Endpoint Protection

 View Only

  • 1.  SEP11 Application Device Control SD Card Storage

    Posted May 01, 2012 04:58 AM

    Hi All SEPer's,

    I have implimented a polciy to block USB Mass Storage and allowing some Mass Storage Devices and this has been successful. 

    The next piece of work I have been ask to do is to block SD Cards. I have tried adding the following Device ID's (sourced via Dev Viewer). 

    1) STORAGE\REMOVABLEMEDIA* Does not work. I have got this deviceID from from the generic volume device for the SD card. 

    2) SD* Does not work. 

    3) SCSI\DISK* Works but there is a problem. We run and VMware workstation fleet (winXP) as well and the primary drive's (i.e. C:) deviceID is 

    SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000100 . While I can put a rule into exclude this deviceID I have reservatations about puting a block rule on a primary drive and then unblocking it.

    Firstly I would like to know why the deviceID rule for STORAGE\REMOVABLEMEDIA* is not working? 

    Secondly am I right in being nervous about blocking using the deviceID SCSI\DISK*? Has anyone else done this and has a VMWare workstation fleet?

    Details on our environment;

    OS WinXP SP3

    SEP Client Versions mixed; SEP11.5 RU2 to SEP11.6 RU3

    SEPM SEP11.6 RU3

     

    Thanks in advance.

     

     

     



  • 2.  RE: SEP11 Application Device Control SD Card Storage

    Posted May 01, 2012 06:16 AM

    Can you post a screenie of this device from DevViewer please?  I'm curious how this is being reported.

    Also, can you advise what is listed under the 'Hardware' tab if you look at the properties of the SD Reader via 'Control Panel' -> 'Devices and Printers'?



  • 3.  RE: SEP11 Application Device Control SD Card Storage

    Posted May 01, 2012 06:57 AM

    For the Smart CardReader. Use the below internal ID

     

    Smart Card Readers Class: {50dd5230-ba8a-11d1-bf5d-0000f805f530}

    Below link will also help you in this case

    How Symantec Endpoint Protection Device Control processes Windows device GUIDs and device IDs.

    http://www.symantec.com/docs/HOWTO60964

    DevViewer - a tool for finding hardware device ID for Device Blocking in Symantec Endpoint Protection

    http://www.symantec.com/docs/TECH103401

     

    one more link

    https://www-secure.symantec.com/connect/downloads/devviewer-tool-helpful-application-and-device-control-find-hardware-device-id-and-guid

    Attach link help you to guide to create the policy easily



  • 4.  RE: SEP11 Application Device Control SD Card Storage

    Trusted Advisor
    Posted May 01, 2012 07:31 AM

    Hello,

    Check this Article:

    How to Block or Allow Devices in Symantec Endpoint Protection

    http://www.symantec.com/docs/TECH175220

    How to Block unwanted Memory Cards

    https://www-secure.symantec.com/connect/articles/how-block-unwanted-memory-cards

    In SEP, wildcards are not supported on Class IDs.

    For a list of Class IDs, click here.

    Secondly, I would advice you to make sure you migrate the SEPM and SEP clients to the Latest version of SEP 11.0. RU7 MP1 and then to SEP 11.0. RU7 MP2. 

    Hope that helps!!



  • 5.  RE: SEP11 Application Device Control SD Card Storage

    Posted May 01, 2012 09:25 PM

    Thanks all for your feedback I will have a read of the links provided. 

    SMLatCST screen as requested.

     

    Some other information that I thought would of value. 

    I am using the Application Control and aFiles and Folders Rule to control the devices using wild cards to allow devices.  Further testing I have done, I have been able to block the SD card using the "Only match files on the following devices id type" Then selecting the 'Removable drive (floppy drive, USB drive, etc)'. However when we plugged in our allowed device (IronKey Thumbdrive) the application and device control policy popup message said it was blocked. I was however able to access the IronKey and unlock it and access the secure partition. So the popup was a false positive message. 

    Mithun Sanghavi, we are developing a Win7(64) MOE and as part of that we will be upgrading to SEP12 ASAP. 

     



  • 6.  RE: SEP11 Application Device Control SD Card Storage

    Posted May 02, 2012 03:27 AM

    Try the below download document for create a new device id to block/allow the USB

    https://www-secure.symantec.com/connect/downloads/devviewer-tool-helpful-application-and-device-control-find-hardware-device-id-and-guid



  • 7.  RE: SEP11 Application Device Control SD Card Storage

    Posted May 02, 2012 04:31 AM

    First off, I do agree that looking at it, your initial configuration to block devices with the device id

    STORAGE\REMOVABLEMEDIA\*

    should (in theory) work.  Given that it doesn't though, and the SCSI\DISK does work, can you confirm a few further bits and pieces?

    Are you trying to block these O2Micro SD readers only (perhaps they are present on all your laptops?) or SD cards in general.  If the former, then there's no reason you can't use the device id:

    SCSI\DISK&VEN_O2MICRO*

    for your blocking instead.  Doing so will mean that you shouldn't need to worry about your VMs.



  • 8.  RE: SEP11 Application Device Control SD Card Storage

    Posted Jul 15, 2012 05:07 AM

    If your requirement fullfil then mark the helping document  as solution, so it help to other also.