cancel
Showing results for 
Search instead for 
Did you mean: 

DLP 11.0.300.842 Policy applied and not blocking

I have been testing the new DLP 11.0.300 software from a fresh install.  The goal is to block USB drives, but have an exception for a specific string of drives using the VID/PID and serial numbers.  At this point here is what I have.

McAfee ePO 5.1.3, latest patches.
McAfee Agent 5.0.5.658
DLP 11.0.300.842
ENS 10.5 With Advanced Threat protection.

i have created a policy that is currentlty blocking ALL USB and Removable Storage devices.  I have communication and confirmed that the policy has been applied to my target system.  I see the application of the policy in ePO Assigned Policies and in the Registry under HK:LM\Software\McAfee\DLP\Agent\Properties\Policy.  I have restarted the target system several times.

When I plug in my test USB stick, it does not block it, as I expect.  I have poured over the Deployment Guide, the interwebs and the KB's but nothing has come up. 

The full extensions are installed as well as the Software in the Master Repository.  The one thing I do not have is a DLP server.  So it is direct from the ePO system to the target system. 

Can anyone tell me what i am missing?

Thanks for any and all assistance..

5 Replies

Re: DLP 11.0.300.842 Policy applied and not blocking

Hello Undrstr,

We currently used the last DLP agent on our computers here and we don't have this problem you describe.

We also have a rule to block all USB removable devices except some device with a serial number.

Do you have some print screen of your config? Have you checked if the action of the rules was "Block"?


Have a nice day

Highlighted

Re: DLP 11.0.300.842 Policy applied and not blocking

Thank you for the response.

Quick answer is Yes, it it set to block.  I have also set the policy to be used from the top down in my System Tree, so from the My Org down.  

In the Rule Set for my USB Rule it is set as follows:

Status = Enabled
Severity = Warrning
end User = Is any user (ALL)
Removable Storage = block USB (my own Definition)
                                      mkirby RSD Definition
                                      Removable Storage Device
                                      Removable Storage Device (Windows)
                                      USB Removable Storage Devices

No Exceptions at this time

Reaction is set to Block and Reporty incident.

From what I have read following McAfee KB 86007, I should have it all set correctly. 

I even removed the FRP software from my test device to ensure that only DLP will be involved. 

Again thanks for any and all assistance.

Re: DLP 11.0.300.842 Policy applied and not blocking

Hello Undrstr,

In your ePO --> DLP Policy Manager --> Policy Assignment. Nothing in pending changes?

In the McAfee Agent client on your system tray, are you able to open the DLP Endpoint Console? If yes, do you see your Revision ID same as the current?

Are you tried to make a simple rule to block USB removable Storage devices?

In my rule is set like this:
End-User : is any user (ALL)
and Removable Storage : is one of (OR) : Removable storage devices (Windows) and All Sandisk removable storage devices (Windows)

I remove this checkbox too : McAfee DLP Endpoint for Mac OS X

Have a nice day

Re: DLP 11.0.300.842 Policy applied and not blocking

Thank you SLRV;

 

That was it.  There was a pending change.  I activated the Rule Set (again, i had done that previously) then Used the Apply button at the lower right corner to Apply the RPolicy.  Rebooted and it worked.  Funny thing is that from everywhere I looked this was not mentioned in any documentation.

Cheers we are now working and blocking.  On to allowing a series of Serial numbers for a group of USB keys. 

 

Your help was much appreciated.  Kudo's given. 

Re: DLP 11.0.300.842 Policy applied and not blocking

Hello Undrstr,

I'm glad that correct your problem!

I agree with you, the official documentation has some lack. Beginning, I have some little difficulty to configure the DLP software like you. But now, I think this product is awesome compared to other software to block USB devices.

Best regards

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community