Using ePO 5.3.1 with DLP Endpoint 10.0 agent installed on a Windows 10 client. I've created a policy that effectively blocks SOME usb hard drives. I used the built-in definition that includes USB, SD, and firewire, but when I look at device manager, some of the hard drives in the office are showing up as SCSI drives. I experimented with adding SCSI as bus type with no success, and I even added the specific vendor ID. File system types didn't catch either.
For drives showing up as SCSI devices in device manager, how do I make rules that actually recognize them? I've experimented with many different options with no success. I want to make a rule that effectively recognizes the rest of these devices.
Instance ID: SCSI\Disk&Ven_ASMT&Prod_2105\000000
After further troubleshooting and ridiculous amounts of research, I have found a solution to my own problem.
The issue boils down to how Windows 10 views USB 3.0 Removable Storage using modern enclosures. Rather than storing information in USBSTOR.inf, it uses another file called UASPSTOR.inf due to the fact that it uses a completely different driver. When you plug the device in, it will use the driver listed here:
In order to get the device to be recognized by DLP, I created a new Device Class by duplicating the one for CD/DVD drives and simply replaced the GUID with the one at the bottom of the image. Once the device class was created, I was able to point to it in a Device Definition which was then used in the rule I created.
**Late Edit**Note that there is a device class called SCSI and Raid Controllers that has the same GUID assigned, but you would need to change the status to "managed" to be able to use it for rules.
Intel Security: Please consider adding this GUID into the DLP catalog by default so that when you select USB bus type, it's included.
To your point - the SCSI device class is already included by default but is left in an unmanaged state. The reason this is done is to avoid complications with legitimate SCSI disks (i.e. boot devices and/or other fixed HDD/SSD). DLP rules are reliant on what Windows reports the device to be - I would recommend being very careful implementing rules with the SCSI device class managed. For reference, the behavior you are describing is outlined in the following KB article:
Also, for reference, potential issue when managing the SCSI device class:
Is there a way to make a definition that filters by driver? It seems like it would be easier to say that anything using USBStor/UASPStor drivers should be managed.
Its an interesting idea, I don't know the exact call that is being used to Windows to determine the device properties, however, I doubt that it would enumerate the actual driver in use. You can submit that as a product enhancement request here: Intel Security Ideas Forum: Latest
hi everybody, is there any update on this? any tip ? the situation described by ar4nier is no longer aplicable I think since McAfee has whitelisted the GUIDs of the scsi and raid controllers.
As I've explained in this thread: https://community.mcafee.com/t5/Data-Loss-Prevention-DLP/Block-external-USB-HDD-on-WIN10-clients-wit...
the only working configuration for me is to have a Fixed Hard Drive rule blocking everything which is not in ntfs file system, but it can be workarounded, anybody has a better advise on how to block this kind of devices?
hi DanilaVanilla08, last week I received the version 220.127.116.11 of DLP extension and 18.104.22.168 client for testing since they are yet in RTS. it works perfectly and blocked the devices I tested with no issue.
the UAS devices are now a built-in definition in ePO.
They told me it will be released to GA in the 2nd or 3rd week of January, so watch out for those in around a month.
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center