cancel
Showing results for 
Search instead for 
Did you mean: 

DLP Device Rule Not Blocking USB SCSI Devices

Using ePO 5.3.1 with DLP Endpoint 10.0 agent installed on a Windows 10 client. I've created a policy that effectively blocks SOME usb hard drives. I used the built-in definition that includes USB, SD, and firewire, but when I look at device manager, some of the hard drives in the office are showing up as SCSI drives. I experimented with adding SCSI as bus type with no success, and I even added the specific vendor ID. File system types didn't catch either.

For drives showing up as SCSI devices in device manager, how do I make rules that actually recognize them? I've experimented with many different options with no success. I want to make a rule that effectively recognizes the rest of these devices.

Instance ID: SCSI\Disk&Ven_ASMT&Prod_2105\000000

Hardware Ids:

SCSI\DiskASMT____2105____________0___

SCSI\DiskASMT____2105____________

SCSI\DiskASMT____

SCSI\ASMT____2105____________0

ASMT____2105____________0

GenDisk

5 Replies

Re: DLP Device Rule Not Blocking USB SCSI Devices

After further troubleshooting and ridiculous amounts of research, I have found a solution to my own problem.

The issue boils down to how Windows 10 views USB 3.0 Removable Storage using modern enclosures. Rather than storing information in USBSTOR.inf, it uses another file called UASPSTOR.inf due to the fact that it uses a completely different driver. When you plug the device in, it will use the driver listed here:

uaspstor Device Mgr.JPG

In order to get the device to be recognized by DLP, I created a new Device Class by duplicating the one for CD/DVD drives and simply replaced the GUID with the one at the bottom of the image. Once the device class was created, I was able to point to it in a Device Definition which was then used in the rule I created.

**Late Edit**Note that there is a device class called SCSI and Raid Controllers that has the same GUID assigned, but you would need to change the status to "managed" to be able to use it for rules.

Intel Security: Please consider adding this GUID into the DLP catalog by default so that when you select USB bus type, it's included.

McAfee Employee hhoang
McAfee Employee
Report Inappropriate Content
Message 3 of 6

Re: DLP Device Rule Not Blocking USB SCSI Devices

ar4nier,

To your point - the SCSI device class is already included by default but is left in an unmanaged state.  The reason this is done is to avoid complications with legitimate SCSI disks (i.e. boot devices and/or other fixed HDD/SSD).  DLP rules are reliant on what Windows reports the device to be - I would recommend being very careful implementing rules with the SCSI device class managed.  For reference, the behavior you are describing is outlined in the following KB article:

McAfee KnowledgeBase - UAS devices are not detected in Data Loss Prevention Endpoint

Also, for reference, potential issue when managing the SCSI device class:

McAfee KnowledgeBase - Computer crashes after installing Data Loss Prevention Endpoint 9.3.x on Wind...

Re: DLP Device Rule Not Blocking USB SCSI Devices

Is there a way to make a definition that filters by driver? It seems like it would be easier to say that anything using USBStor/UASPStor drivers should be managed.

McAfee Employee hhoang
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: DLP Device Rule Not Blocking USB SCSI Devices

Its an interesting idea, I don't know the exact call that is being used to Windows to determine the device properties, however, I doubt that it would enumerate the actual driver in use.  You can submit that as a product enhancement request here:  Intel Security Ideas Forum: Latest

Re: DLP Device Rule Not Blocking USB SCSI Devices

hi everybody, is there any update on this? any tip ? the situation described by ar4nier is no longer aplicable I think since McAfee has whitelisted the GUIDs of the scsi and raid controllers.

As I've explained in this thread: https://community.mcafee.com/t5/Data-Loss-Prevention-DLP/Block-external-USB-HDD-on-WIN10-clients-wit...

the only working configuration for me is to have a Fixed Hard Drive rule blocking everything which is not in ntfs file system, but it can be workarounded, anybody has a better advise on how to block this kind of devices?

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.