I am trying to tweak an existing rule to allow a certain group access to their cd\rom when they logon and deny all others.
I am using DLP 188.8.131.522
The events come in with the information showing the drive has been blocked, even for those I want to be able to access.
I have tried entering the information from this event to allow access, without success.
Event Generated Time (Endpoint): 3/30/2011 2:35:08 PM
Event Generated Time (UTC): 3/30/2011 7:35:08 PM
Computer Name: KFNBMOBILE18
Associated Rules: Executive Block Removeable Mass Storage except CD
Agent Action(s): Block, Monitor, Notify User
Agent Version: 184.108.40.2062
Policy Name: DLP Security Policy
Policy Time (UTC): 3/30/2011 7:20:18 PM
Connection State: Online
Device Class GUID: 4D36E965-E325-11CE-BFC1-08002BE10318
Device Class Name: DVD/CD-ROM drives
Device Name: HL-DT-ST DVD-ROM DU10N
Device Compatible ID: GenCdRom
Device Instance ID: IDE\CDROMHL-DT-ST_DVD-ROM_DU10N__________________1.05____\4&3341A3E&0&0.1.0
Bus Type: IDE
Device File-System Access: Read - Only
Volume Label: CD1
Volume Serial Number: 249E-FCDF
Device File System Type: CDFS
I did not see a way to add the device class GUID or the device serial number.
I have added the class name, device name, device compatable id, device instance id
I would really appreciate any help.