cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Highlighted
matthew17
matthew17
Level 7
Report Inappropriate Content
Message 1 of 6
‎11-28-2017 09:13 AM

DLP 11 device blocking issues

I've spent hours with support and have come to a roadblock with DLP 11 for device control. It's possible support will still come back with a solution, but it's not looking good.

We currently use DLP 9.3 and I've been working to get DLP 11 configured and working in the same manner. My requirement is to block all devices that can get data off our systems, so all USB Drives, SD Cards, Bluetooth, etc. And be able to add exceptions when needed. Because our old policies were so cumbersome I decided to start from scratch with the policies/rules.

This has been working under DLP 9.3. While configuring and testing DLP 11 I ran into an issue a few weeks ago (still an issue now in part) where it claims to block an SD Card on our Dell Latitude E7440s (Windows 10), but in fact it's not blocking the card. I'd be happy and would prefer to block the actual card reader on all systems, but that existing rule set provided by McAfee DLP is unreliable. I've spent many hours with support (Tier 2) trying to get the SD card to be blocked. We've run their DLP monitoring tool to try to get every byte of information possible to actually block it.

We've tried both Removable Storage Device rules and Plug and Play Device rules, they either did nothing, or claimed to block but didn't actually block. Finally, we created a rule that works. It's a removable storage device rule with the Bus type as SCSI and the Device Instance ID is SCSI\Disk&Ven_&Prod_SD&Rev_0001\.

I then explained my concerns about how long it took to find the right rule logic to block this SD Card, and the possibility of there being other False blocks for other SD Cards or USB Devices. I was told it's possible there are other False blocks, so I'd need to thorough testing aon all system types and many SD cards and USB drives. And then there's the possibility of a new SD Card or USB Drive arriving on the market, that happens to have this false block issue.

I need DLP 11 to actually block things without jumping through 50 hops and trust it to block future removable devices. So, any ideas? I'm frustrated with DLP 11 to say the least.

2 people had this problem.
Reply
5 Replies
jappell
McAfee Employee jappell
McAfee Employee
Report Inappropriate Content
Message 2 of 6
‎12-12-2017 12:08 PM

Re: DLP 11 device blocking issues

Hi Matthew, Can you send me an email on how to reach you? My email is jay_appell@mcafee.com

0 Kudos
Reply
mraybone
mraybone
Level 8
Report Inappropriate Content
Message 3 of 6
‎01-04-2018 03:52 AM

Re: DLP 11 device blocking issues

Hello,

I have this same issue.  We're blocking all USB removable storage, but have encountered some USB3 hard disks which Windows 10 sees as SCSI, so are not blocked.  What can we do to successfully block in this instance?  DLP is rendered ineffective otherwise.

We're running ePO 5.9.1 and DLP 11.0.130.242

Cheers,

MR.

0 Kudos
Reply
mattw2
mattw2
Level 10
Report Inappropriate Content
Message 4 of 6
‎01-04-2018 04:27 AM

Re: DLP 11 device blocking issues

Just asking... have you tried using the server task that converts 9.3 rules to the new format ?

Its called "DLP Policy Conversion" and is disabled by default (as you'd only need to run it once anyway in most circumstances)

In theory, this should bring across the existing rules such that they should work as at present, and save the effort of having to re-create them all from scratch.

With regards specifically blocking SD Cards, I had some issues even on 9.3 to block them, and ended up having to create a couple of device definitions, as it seemed certain Dell models we use were easier to define one way or the other.

So some models its based on the Compatible ID "SD\STORAGE" (partial match), and for others its based on Device Name, and if it includes "SDHC Card" or "SD Memory Card".

Matt W.

0 Kudos
Reply
mrivera88
mrivera88
Level 7
Report Inappropriate Content
Message 5 of 6
‎09-13-2018 03:13 PM

Re: DLP 11 device blocking issues

Hi guys

Exactly the same problem here with the SD cards. Lastest version of DLPe 11 and hotfixes and neither the WPD built -in rule or creating another one over the Device Friendly Name for example works. The pop-up notification triggers fine and shows the "block", but we're still able to access the SD cards. The Incident Manager event also shows the supposed block.

Also spent a couple hours with support and remote sessions and nothing. They sent me here and told me that we need a custome hotfix for it.

This is a big client and there's more than 400 new laptops (Dell) with the same specs.

Please help. Thanks in advance.

0 Kudos
Reply
Fademidun
Reliable Contributor Fademidun
Reliable Contributor
Report Inappropriate Content
Message 6 of 6
‎09-06-2019 12:50 AM

Re: DLP 11 device blocking issues

This ia how to block all sorts of SD card irrespective of type/model. Please check this post (https://community.mcafee.com/t5/Data-Loss-Prevention-DLP/Cannot-block-SD-cards-using-built-in-mcafee... ) or read full details below.

You cannot block SD card with built-in definition. This is what you need to do

New Definition/Rule Set for SD Card RO/BLOCK or whatever you choose

Create new Definitions under Removale Devices or duplicate "SD Card readers (windows) [built-in]" definitions
Rename or name as "SD Card RO or BLOCK"
Click edit and select Device Instance ID (Advanced)
Create 3 Comparisons with "Contain" and "Value" SD/RIMMPTSK/PCISTOR
Save it

Now go to DLP Rule Set

Under Rule Sets
Create new rule, fill all your requirements then under Removable Storage click to select newly created "SD Card RO/BLOCK" definitions
OK and save

Reaction "Read-Only/BLOCK"

Assign to a policy and send WAU and you should be fine

Any issue please post back error or output result

Reply
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator

    • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community


    Corporate Headquarters
    2821 Mission College Blvd.
    Santa Clara, CA 95054 USA

    Consumer Support   |   Enterprise Support   |   McAfee.com

    Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC