Showing results for 
Search instead for 
Did you mean: 

DLP 9.1 Enabling PnP rule

Hi All,

We have had DLP out in the wild with a 'Block Removeable Storage ' rule  for several months on thousands of machines.

We not need to get Plug and Play rule in to stop the other methods of data leakage.

I have set a monitor rule on all definitions of a PNp rule and have been bombared with results. I do not want to kill the machines when I enable this so how do I know what to ignore ?

My main concern is around Universal Serial Bus Controllers which I guess can be the onboard USB and possibly an external USb hub ? Is this true ?

I was just wondering how other people us the PnP rule ? Yes , we need to block Iphones, yes we need to block other smart phones but I don't want to keep added VID/PID's everytime a new device comes out !

What is the best way to do this ?

Many thanks in advance


1 Reply

Re: DLP 9.1 Enabling PnP rule


from what i know PNP is the 1st layer of rule before removeable storage.

Depends how many machines are you monitoring. I do not think it will overload endpoint machines. The events are trigger into the McAfee Agent which will periodically send to server for keep. Database may be overload but from my previous environment i have 3000 endpoints with alot of rules i have not much of an issue with it. You may see the slow down of the epo (my database is on another server).

Default monitor rule are usually for initial phrase for checking and capture items that is not inside the allow rule to trigger for fine tuning of my device control rules. Unless you really need the logs like me. I only monitor those being block and those machine need to monitor everything.

I use pnp rules to block items unable to indentify as removeable storage. Example iPhone. which i just use wildcard apple to block as i am too lazy to do it one by one. so anything call apple will be block. I hoping there is not apple network switch or apple mouse in used. But bear in mind it will effect alot of other applicance too like samsung you use this word it may block harddisk that is reside inside the machine. for me i only block Blackberry n Apple product rest are beign block are my cameras or imaging device.

My work way it to block all and slowly open it back.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community