I currently have EPO 5.3.1 with DLP 9.4.2. I have a block USB rule set up and I am trying to white list certain devices by vendor ID and product ID. If I do not enable the whitelist then USB is blocked as it should be. When I enable the whitelist by device definition all USB is able to be used and nothing is blocked.
Does anyone have an idea what I may be doing wrong?
When you say whitelist - are you actually creating a 'Whitelisted plug and play device definition' -or- are you creating a device definition (either plug and play or removable storage) and setting it as an exclusion within the rule?
If you are essentially saying that the 'whitelist' is allowing devices to be attached that it should not be then it sounds like your whitelist definition is too broad and you may need to modify it to be more granular. i.e. if you set a whitelist exclusion for vendor ID + product ID it will allow all devices that reflect that combination as it is not specific to a single device but all USB devices of that vendor/model.
I have only seen one way to create whitelisted items; I edit my rule, then select "Exceptions", then in the left pane I select "Whitelisted Device Definitions", then in the right pane I have "removable storage" is set to "is one of (or)" my allowed USB device definition.
There is about 8 devices within that definition I would like allowed, but when I enable this exception on my block USB rule, all USB is able to be used.
It sounds like the latter scenario then - i.e. your definition may be too broad. If you enable the whitelist and then plug in a device that you expect to be blocked and run this command:
wmic diskdrive get caption,pnpdeviceid
This will give you the name of the devices attached to the system as well as the device instance path - which will include the VID/PID that you are using in your definition. If the VID/PID of the devices you expect to be blocked are included in your definition then you will need to use something more granular for your exclusions such as a volume/device serial number. The serial number can be tricky to use in definitions as it is dependent on the device drivers to correctly report them (assuming one even exists). You can verify whether the serial number by running a Windows utility called 'usbview' which I believe is included in Windows debug tools (you may need to download an AIK package to get this).
I ran the command you provided. The vendor ID and product ID are not on my approved definitions list, and the drive is still allowed to be used.
I couldn't say for certain without looking at your configuration but if what you are describing is accurate then I would recommend getting a support case open for investigation.
Does the same thing happen if you manually create a device definition (as opposed to selecting the option for 'whitelisted device defintion') and then select that as an exception?