Using ePO 5.3.1 with DLP Endpoint 10.0 agent installed on a Windows 10 client. I've created a policy that effectively blocks SOME usb hard drives. I used the built-in definition that includes USB, SD, and firewire, but when I look at device manager, some of the hard drives in the office are showing up as SCSI drives. I experimented with adding SCSI as bus type with no success, and I even added the specific vendor ID. File system types didn't catch either.
For drives showing up as SCSI devices in device manager, how do I make rules that actually recognize them? I've experimented with many different options with no success. I want to make a rule that effectively recognizes the rest of these devices.
Instance ID: SCSI\Disk&Ven_ASMT&Prod_2105\000000
After further troubleshooting and ridiculous amounts of research, I have found a solution to my own problem.
The issue boils down to how Windows 10 views USB 3.0 Removable Storage using modern enclosures. Rather than storing information in USBSTOR.inf, it uses another file called UASPSTOR.inf due to the fact that it uses a completely different driver. When you plug the device in, it will use the driver listed here:
In order to get the device to be recognized by DLP, I created a new Device Class by duplicating the one for CD/DVD drives and simply replaced the GUID with the one at the bottom of the image. Once the device class was created, I was able to point to it in a Device Definition which was then used in the rule I created.
**Late Edit**Note that there is a device class called SCSI and Raid Controllers that has the same GUID assigned, but you would need to change the status to "managed" to be able to use it for rules.
Intel Security: Please consider adding this GUID into the DLP catalog by default so that when you select USB bus type, it's included.
To your point - the SCSI device class is already included by default but is left in an unmanaged state. The reason this is done is to avoid complications with legitimate SCSI disks (i.e. boot devices and/or other fixed HDD/SSD). DLP rules are reliant on what Windows reports the device to be - I would recommend being very careful implementing rules with the SCSI device class managed. For reference, the behavior you are describing is outlined in the following KB article:
Also, for reference, potential issue when managing the SCSI device class:
Is there a way to make a definition that filters by driver? It seems like it would be easier to say that anything using USBStor/UASPStor drivers should be managed.
Its an interesting idea, I don't know the exact call that is being used to Windows to determine the device properties, however, I doubt that it would enumerate the actual driver in use. You can submit that as a product enhancement request here: Intel Security Ideas Forum: Latest