cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 7

DLP - Block built-in SD Card Reader

Hi.

I need help with blocking builtin card reader (pci bus) in Lenovo T440/450. Some environment info : EPO 5.3.1, DLP 9.3.400.60.

I tried many options suggested at the forum and in MCAFEE's Kb's but none of them worked.

Already tried the following: Using Device compatible ID, Device Instance ID, Device Name, PCI vendor ID/Device ID.

From all this only Device Instance ID blocked the following (but SD was still accessible):

Device Class GUID:

EEC5AD98-8080-425F-922A-DABF3DE3F69A

Device Class Name:

Portable Devices

Device Name:

D:\

Device Compatible ID:

wpdbusenum\fs

Device Instance ID:

WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_PCISTOR#DISK&VEN_REALSIL&PROD_RTS5208LUN0&REV_1.00#0000#

Have anyone succeeded in blocking something similar to this?

6 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 7

Re: DLP - Block built-in SD Card Reader

never tried blocking this through DLP, but it probably can be disabled in the BIOS. Depending on how many PC's you have out there it may take a while if its in the hundred's.

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 7

Re: DLP - Block built-in SD Card Reader

Hey Leonid,

Some trouble shooting steps:

  1. Go to "Agent Configuration" -> "Miscellaneous"and verify that "Device Blocking" is checked.
  2. Are you able to block any other devices or is it just this that is not being blocked?
  3. Is this rule being applied using AD group membership? try assigning the rule to a single user.
Former Member
Not applicable
Report Inappropriate Content
Message 4 of 7

Re: DLP - Block built-in SD Card Reader

Hi Leonid,

how you blocking the devices based on user or based on system if you blocking based on system check whether the rule is applied or not,

if you are blocking based on user check whether user is included or excluded.

cheers

jagadeesh.

bretzeli
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 7

Re: DLP - Block built-in SD Card Reader

Hi,

First this will be no easy tasks. The cheapest solution is to hire a person to UNPLUG the USB Card reader cable (Clean inside 😉 OR if you are in a BANK UNPLUG and CUT it so employee don't self attach again inside PC.

We did this under DLP 9.3 with HP MEDIACARD22in1 etc. in DESKTOP and it was horror.

The only working solution was to:

* Install a software like devmgr where you see all componentens from USB and hubs

* Then "No Joke" 1) Put a MEDIA (SD-card) into the SLOT 2) On the mainboard itself UNPLUG and then PLUG the Media card reader USB-cable. (Physical open box)

* ONLY then you the right events and DeviceID's

Try anything else > You think it's working but fail....

We spent almost 1 month on debug on this because a larger customer who promised to disable the Media card Readers physical did NOT. Worst case they have Bitlocker/TPM so we

now can't JUST unpluf the cable wihtout changing bitlocker configs.

You may have to solve this with Laptop Card Readers but there the effort will be ok.

Greetings

a Mcafee TIE fan

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 7

Re: DLP - Block built-in SD Card Reader

I did a presentation on DLP configuration a while ago and just posted it.

Kyle Taylor – increasing your security posture using mc afee epo

Maybe you will have some tips there...I know the Ricoh SD card reader POSTS frequently giving a large number of false-positives.

Also..some SD card readers are wired into the internal USB Hub...so they mount as USB....

then there are cameras

We used Compatible ID's to get them.

Fademidun
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 7

Re: DLP - Block built-in SD Card Reader

This ia how to block all sorts of SD card irrespective of type/model. Please check this post (https://community.mcafee.com/t5/Data-Loss-Prevention-DLP/Cannot-block-SD-cards-using-built-in-mcafee... ) or read full details below.

You cannot block SD card with built-in definition. This is what you need to do

New Definition/Rule Set for SD Card RO/BLOCK or whatever you choose

Create new Definitions under Removale Devices or duplicate "SD Card readers (windows) [built-in]" definitions
Rename or name as "SD Card RO or BLOCK"
Click edit and select Device Instance ID (Advanced)
Create 3 Comparisons with "Contain" and "Value" SD/RIMMPTSK/PCISTOR
Save it

Now go to DLP Rule Set

Under Rule Sets
Create new rule, fill all your requirements then under Removable Storage click to select newly created "SD Card RO/BLOCK" definitions
OK and save

Reaction "Read-Only/BLOCK"

Assign to a policy and send WAU and you should be fine

Any issue please post back error or output result

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community