We have had DLP out in the wild with a 'Block Removeable Storage ' rule for several months on thousands of machines.
We not need to get Plug and Play rule in to stop the other methods of data leakage.
I have set a monitor rule on all definitions of a PNp rule and have been bombared with results. I do not want to kill the machines when I enable this so how do I know what to ignore ?
My main concern is around Universal Serial Bus Controllers which I guess can be the onboard USB and possibly an external USb hub ? Is this true ?
I was just wondering how other people us the PnP rule ? Yes , we need to block Iphones, yes we need to block other smart phones but I don't want to keep added VID/PID's everytime a new device comes out !
What is the best way to do this ?
Many thanks in advance
from what i know PNP is the 1st layer of rule before removeable storage.
Depends how many machines are you monitoring. I do not think it will overload endpoint machines. The events are trigger into the McAfee Agent which will periodically send to server for keep. Database may be overload but from my previous environment i have 3000 endpoints with alot of rules i have not much of an issue with it. You may see the slow down of the epo (my database is on another server).
Default monitor rule are usually for initial phrase for checking and capture items that is not inside the allow rule to trigger for fine tuning of my device control rules. Unless you really need the logs like me. I only monitor those being block and those machine need to monitor everything.
I use pnp rules to block items unable to indentify as removeable storage. Example iPhone. which i just use wildcard apple to block as i am too lazy to do it one by one. so anything call apple will be block. I hoping there is not apple network switch or apple mouse in used. But bear in mind it will effect alot of other applicance too like samsung you use this word it may block harddisk that is reside inside the machine. for me i only block Blackberry n Apple product rest are beign block are my cameras or imaging device.
My work way it to block all and slowly open it back.