I've spent hours with support and have come to a roadblock with DLP 11 for device control. It's possible support will still come back with a solution, but it's not looking good.
We currently use DLP 9.3 and I've been working to get DLP 11 configured and working in the same manner. My requirement is to block all devices that can get data off our systems, so all USB Drives, SD Cards, Bluetooth, etc. And be able to add exceptions when needed. Because our old policies were so cumbersome I decided to start from scratch with the policies/rules.
This has been working under DLP 9.3. While configuring and testing DLP 11 I ran into an issue a few weeks ago (still an issue now in part) where it claims to block an SD Card on our Dell Latitude E7440s (Windows 10), but in fact it's not blocking the card. I'd be happy and would prefer to block the actual card reader on all systems, but that existing rule set provided by McAfee DLP is unreliable. I've spent many hours with support (Tier 2) trying to get the SD card to be blocked. We've run their DLP monitoring tool to try to get every byte of information possible to actually block it.
We've tried both Removable Storage Device rules and Plug and Play Device rules, they either did nothing, or claimed to block but didn't actually block. Finally, we created a rule that works. It's a removable storage device rule with the Bus type as SCSI and the Device Instance ID is SCSI\Disk&Ven_&Prod_SD&Rev_0001\.
I then explained my concerns about how long it took to find the right rule logic to block this SD Card, and the possibility of there being other False blocks for other SD Cards or USB Devices. I was told it's possible there are other False blocks, so I'd need to thorough testing aon all system types and many SD cards and USB drives. And then there's the possibility of a new SD Card or USB Drive arriving on the market, that happens to have this false block issue.
I need DLP 11 to actually block things without jumping through 50 hops and trust it to block future removable devices. So, any ideas? I'm frustrated with DLP 11 to say the least.
Hi Matthew, Can you send me an email on how to reach you? My email is jay_appell@mcafee.com
Hello,
I have this same issue. We're blocking all USB removable storage, but have encountered some USB3 hard disks which Windows 10 sees as SCSI, so are not blocked. What can we do to successfully block in this instance? DLP is rendered ineffective otherwise.
We're running ePO 5.9.1 and DLP 11.0.130.242
Cheers,
MR.
Just asking... have you tried using the server task that converts 9.3 rules to the new format ?
Its called "DLP Policy Conversion" and is disabled by default (as you'd only need to run it once anyway in most circumstances)
In theory, this should bring across the existing rules such that they should work as at present, and save the effort of having to re-create them all from scratch.
With regards specifically blocking SD Cards, I had some issues even on 9.3 to block them, and ended up having to create a couple of device definitions, as it seemed certain Dell models we use were easier to define one way or the other.
So some models its based on the Compatible ID "SD\STORAGE" (partial match), and for others its based on Device Name, and if it includes "SDHC Card" or "SD Memory Card".
Matt W.
Hi guys
Exactly the same problem here with the SD cards. Lastest version of DLPe 11 and hotfixes and neither the WPD built -in rule or creating another one over the Device Friendly Name for example works. The pop-up notification triggers fine and shows the "block", but we're still able to access the SD cards. The Incident Manager event also shows the supposed block.
Also spent a couple hours with support and remote sessions and nothing. They sent me here and told me that we need a custome hotfix for it.
This is a big client and there's more than 400 new laptops (Dell) with the same specs.
Please help. Thanks in advance.
This ia how to block all sorts of SD card irrespective of type/model. Please check this post (https://community.mcafee.com/t5/Data-Loss-Prevention-DLP/Cannot-block-SD-cards-using-built-in-mcafee... ) or read full details below.
You cannot block SD card with built-in definition. This is what you need to do
New Definition/Rule Set for SD Card RO/BLOCK or whatever you choose
Create new Definitions under Removale Devices or duplicate "SD Card readers (windows) [built-in]" definitions
Rename or name as "SD Card RO or BLOCK"
Click edit and select Device Instance ID (Advanced)
Create 3 Comparisons with "Contain" and "Value" SD/RIMMPTSK/PCISTOR
Save it
Now go to DLP Rule Set
Under Rule Sets
Create new rule, fill all your requirements then under Removable Storage click to select newly created "SD Card RO/BLOCK" definitions
OK and save
Reaction "Read-Only/BLOCK"
Assign to a policy and send WAU and you should be fine
Any issue please post back error or output result
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA