Showing results for 
Search instead for 
Did you mean: 

DLP Consistently inconsistent in application of USBSTOR rule

I have an implementation of HDLP on ePO 4.5 to restrict USB thumb drive access to only two specific brand and models.

My rule was created to identify both specific Verbatim encrypted USB drives by VIDSmiley TongueID, and apply the rule to a list of users brought in from Active Directory.

In some cases, a restricted user logs in, inserts an unapproved drive and it is blocked.. Rule works asa designed.  When the same user inserts an approved encrypted drive, they can access the "cd-drive" portion and log into the drive.  Everything works as originally designed.

However, this behavior is not consistant.  Another user logs into the same workstation. His login is also in the restricted user list, but he attempts to use an authorized encrypted drive.  On insertion of the USB drive into the port, everything looks the same as the previous scenario. The user can access the "cd-drive" portion, and when the software starts, the user gets an immediate block message, and now has no access to the "approved" encrypted drive.

Both of these users are in the restricted user group within ePO DLP, and the enabled radio button is checked, which should force the full rule to apply to both users.

I am baffled why the rule would work for some users but not others on the same workstation.

Any ideas?

3 Replies

Re: DLP Consistently inconsistent in application of USBSTOR rule


This issue is hot, and will decide if we use McAfee HDLP or go with another vendor.  Any ideas?

Re: DLP Consistently inconsistent in application of USBSTOR rule

Do the users have different privileges on the same computer? I have hit problem to launch encryption application on USB when the user does not have local administrator access level.

Re: DLP Consistently inconsistent in application of USBSTOR rule

Just as a followup:

The solution was found when I looked at the DLP Monitor, and examined what was being logged at the failure point.

The Verbatim encrypted drives display a ProductID of 5555 when you use USBView, the product recommended in the install directions.  When I wrote the Device Definition, I only included what USBView had given me about the devices.

The error/problem was, when the Secure_Drive software was opened on the "CDROM" portion of the USB drive, it had a different ProductID.

I added the second ProductID for each allowed USB drive, and then saved and Applied the rule again.  After a push out to the agents, my test subjects were able to use the USB drives they were allowed to use, and not use the ones they were not.

I have to thank the folks in support that helped me through finding my error.  THANK YOU!!!