cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
PAA
Level 8
Report Inappropriate Content
Message 11 of 21

Re: Block only Bluetooth Data Transfer

I agree with you but it appears DLP cannot do it at this time as you would expect.  I like the idea of the guy that suggested to follow the MSM technique but implement directly in the Registry thru the use of keys that allow or block lower level Bluetooth protocols by UUID.  But that is another team in my org.

krburkley
Level 9
Report Inappropriate Content
Message 12 of 21

Re: Block only Bluetooth Data Transfer

it appears that DLP is correctly blocking the files transferred via bluetooth while allowing headsets to work appropriately when utilizing the original PnP rule. (with win 1809) 

PAA
Level 8
Report Inappropriate Content
Message 13 of 21

Re: Block only Bluetooth Data Transfer

that solution in KB90690 only works for certain versions of Windows 10.  What if you have a mixed environment?  Does it require maintaining a separate tree structure for each version of Windows? or can both instructions be combined somehow?

PAA
Level 8
Report Inappropriate Content
Message 14 of 21

Re: Block only Bluetooth Data Transfer

on top of that, it does not block.  The DLP notification popup triggers but the Actual Action = No Action and Failure Reason: Bypass mode.

krburkley
Level 9
Report Inappropriate Content
Message 15 of 21

Re: Block only Bluetooth Data Transfer

I also have this exact problem. Yet another McAfee community article i come across with no resolution. Can we get a resolution to this problem???

IanMFE
Level 8
Report Inappropriate Content
Message 16 of 21

Re: Block only Bluetooth Data Transfer

I resolved this myself outside of McAfee by using  the Microsoft Policy CSP. We don't have the MDM, but you can define the registry keys via GPO and you get the same result. It requires a bit of customization for your environment, but does work.

See below for details.

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-bluetooth#bluetooth-servic...

pdufault
Level 7
Report Inappropriate Content
Message 17 of 21

Re: Block only Bluetooth Data Transfer

Do you have an example of the regkeys used for this? it would be super helpful as we don't have the MDM either.

IanMFE
Level 8
Report Inappropriate Content
Message 18 of 21

Re: Block only Bluetooth Data Transfer

The regkey is located in:

HKLM\Software\Microsoft\PolicyManager\default\Bluetooth\ServicesAllowedList

RegSZ = value

i.e. the name of the registry string value, is 'value'. And value = the list of bluetooth services that you want to allow. By default it's all services, but when you create this key, you define all of the allowed services.

The bluetooth services allowed list usage guide (below), contains a list of possible values (however I've found some aren't in that list but can be found via Device Manager of an affected device).

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-bluetooth#servicesallowedl...

As an example, if I only wanted to allow Bluetooth classic keyboards and mice my regkey would be:

value={0000**omitted**-00805F9B34FB};{0000**omitted**-00805F9B34FB};

There's a way to get that key to take without a reboot, but I can't recall what it is, so reboot for this to take affect.

jsubbura
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 19 of 21

Re: Block only Bluetooth Data Transfer

Hi @krburkley  / @IanMFE ,

BTH\MS_RFCOMM protocol is used by both Audio (I/O) and File transfer in Windows 

For Microphone to work , Add 'BTH\MS_RFCOMM' as exception in your Bluetooth Block rule as per & Use ENS AP (McAfee Endpoint Security -> Access Protection rule) to block 'fsquirt.exe'
 
So that using the McAfee ENS we can block the execution of fsquirt.exe which is responsible for file transfer over Bluetooth
 
KB91976 will be updated in a while along with this information.
 
Thank you.
Regards,
Jithendran S
McAfee Employee
IanMFE
Level 8
Report Inappropriate Content
Message 20 of 21

Re: Block only Bluetooth Data Transfer

Thanks for the update @jsubbura . WRT blocking fsquirt.exe. What happens if I rename fsquirt.exe, to letmetransfer.exe?

You can block fsquirt.exe with Windows GPOs as well, but the problem is if you rename it, it you can still transfer files. The only real working solution I've found is by removing the File Transfer services from the Bluetooth Allowed Services definition.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community