I have been testing the new DLP 11.0.300 software from a fresh install. The goal is to block USB drives, but have an exception for a specific string of drives using the VID/PID and serial numbers. At this point here is what I have.
McAfee ePO 5.1.3, latest patches.
McAfee Agent 22.214.171.1248
ENS 10.5 With Advanced Threat protection.
i have created a policy that is currentlty blocking ALL USB and Removable Storage devices. I have communication and confirmed that the policy has been applied to my target system. I see the application of the policy in ePO Assigned Policies and in the Registry under HK:LM\Software\McAfee\DLP\Agent\Properties\Policy. I have restarted the target system several times.
When I plug in my test USB stick, it does not block it, as I expect. I have poured over the Deployment Guide, the interwebs and the KB's but nothing has come up.
The full extensions are installed as well as the Software in the Master Repository. The one thing I do not have is a DLP server. So it is direct from the ePO system to the target system.
Can anyone tell me what i am missing?
Thanks for any and all assistance..
We currently used the last DLP agent on our computers here and we don't have this problem you describe.
We also have a rule to block all USB removable devices except some device with a serial number.
Do you have some print screen of your config? Have you checked if the action of the rules was "Block"?
Have a nice day
Thank you for the response.
Quick answer is Yes, it it set to block. I have also set the policy to be used from the top down in my System Tree, so from the My Org down.
In the Rule Set for my USB Rule it is set as follows:
Status = Enabled
Severity = Warrning
end User = Is any user (ALL)
Removable Storage = block USB (my own Definition)
mkirby RSD Definition
Removable Storage Device
Removable Storage Device (Windows)
USB Removable Storage Devices
No Exceptions at this time
Reaction is set to Block and Reporty incident.
From what I have read following McAfee KB 86007, I should have it all set correctly.
I even removed the FRP software from my test device to ensure that only DLP will be involved.
Again thanks for any and all assistance.
In your ePO --> DLP Policy Manager --> Policy Assignment. Nothing in pending changes?
In the McAfee Agent client on your system tray, are you able to open the DLP Endpoint Console? If yes, do you see your Revision ID same as the current?
Are you tried to make a simple rule to block USB removable Storage devices?
In my rule is set like this:
End-User : is any user (ALL)
and Removable Storage : is one of (OR) : Removable storage devices (Windows) and All Sandisk removable storage devices (Windows)
I remove this checkbox too : McAfee DLP Endpoint for Mac OS X
Have a nice day
Thank you SLRV;
That was it. There was a pending change. I activated the Rule Set (again, i had done that previously) then Used the Apply button at the lower right corner to Apply the RPolicy. Rebooted and it worked. Funny thing is that from everywhere I looked this was not mentioned in any documentation.
Cheers we are now working and blocking. On to allowing a series of Serial numbers for a group of USB keys.
Your help was much appreciated. Kudo's given.
I'm glad that correct your problem!
I agree with you, the official documentation has some lack. Beginning, I have some little difficulty to configure the DLP software like you. But now, I think this product is awesome compared to other software to block USB devices.