We are in the process of testing the USB storage device blocking capabilities of DLP. I created a basic device class that contains the USB bus type and a rule to block the devices when online.
This works fine on our Windows XP systems but there is a problem with those running Windows 7. When connecting a USB storage device to these machines we get a prompt from windows to format the device. It appears that the filesystem has been locked by DLP but Windows is still trying to mount it.
To go a step further, if you proceed at the prompt to format, Windows can happily erase the drive. Further access to the device is still blocked by DLP.
Any suggestions on working around this issue?
Thankson 5/04/11 10:22:32 PM
Does McAfee have a fix for this or are they even aware of it? We are having the same problem with agent version 22.214.171.124. When a blocked drive is plugged in, Windows prompts for a format and will proceed with it if the users clicks OK. The problem we have is that we do not have the option of windows XP as we are fastly moving the whole organization to Windows 7. If someone could give me a KB number or some "official" form of acknowledgement from McAfee that would help a LOT!
Can you all tell me which type of rule and the parameters you are using to block the device please?
The prompt is a new feature in Windows 7 (not present in Vista and below) that tries to be helpful when presented with a device that it determines has no volumes.
It can be overcome with creating a Plug and Play Device Rule along with a definition with the parameter 'USB Class Code' set to '08h - Mass Storage'. I cannot see a way to remove that prompt via Windows configuration, registry or GPO however there may be a way I am unaware of.
McAfee TierIII Support
Data Loss Prevention.
Ok, had a breakthrough yesterday. Looks like this format pop-up only happens if the user has Local Admin rights on the workstation. When logged in as myself, I was getting the pop-up to format because I am a Domain Admin. However, logged in as a regular user with no Local Admin rights, I only got the McAfee Pop-up warning me that the device is blocked per DLP rules. Hope this helps some!Message was edited by: ssaunders on 5/18/11 9:09:09 AM CDT
Try using a Plug and Play device rule with the USB class code set for "08h - Mass storage". This will block the device from being viewed by the client machine so the OS won't prompt for a format.
I think that the user cannot format his usb key, when DLP blocks it.
As alternative should be an option, during the rule configuration wizard, that permits to select if the user can or cannot format the usb key.
using plug and play rule to block or prevent "08h - Mass storage", will cause another issue if you use allow rule base on the thumbdrive serial number or any other code sepcialise to allow to go thru.
I also having this issue and we use serial number which allow storage media which has been registrered to allow to be plug in. So if you create the PnP rule to block Mass Storage, the allow rule will be ignored. those still blocks all media which you allowed.
Hopefully there is a better solution.
I have encountered this issue in version 9.1 and I have been able to check that it doesn´t happen in version 9.2 of HDLP client software.