cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DLP Endpoint- Need to Block PCISTOR

Hi Team, 

today I received one alert which users have copied the data from PC to a USB stick and we did not get the event into the DLP incident manager which is weird but we got catches into Symantec DLP so there is a gap between DLP-endpoint policy which we did not trigger about the block.  you can check below the device instance and it looks SDHC card so I want to block this through ePO without harm any other devices related to PCISTOR . do you have any idea - how we can restrict this. 

here is the devices id- 

Device_Instance_ID=PCISTOR\DISK&VEN_RSPER&PROD_RTS5208LUN0&REV_1.00\0000

 

-Mukesh

 

3 Replies
jsubbura
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: DLP Endpoint- Need to Block PCISTOR

Hi @mukesh13m ,

If you have installed McAfee DLP on the machine it is not recommended to use other DLP solutions on the same machine. 

You would need to configure a storage rule as per the below steps and can get this device blocked or monitored,

  1. Log on to the ePolicy Orchestrator 5.x console.
  2. Select MenuData ProtectionDLP Policy Manager.
  3. In Definitions, click Device ControlDevice Definitions.
  4. Click Actions, NewRemovable Storage Definition.
  5. Name the definition.
  6. Add the Device Instance ID (Advanced) property and configure the value as PCISTOR\DISK&VEN_RSPER&PROD_RTS5208LUN0&REV_1.00\0000. Change the Comparison to Contains.
  7. Click Save.
  8. Assign this device definition to your Removable storage device rule.

 

Thank you.

Regards,
Jithendran S
McAfee Employee

Re: DLP Endpoint- Need to Block PCISTOR

Hi Jithendran,

Thanks for reply 

McAfee DLP we are using feature device control not other features - 

Also, I have found KB https://kc.mcafee.com/corporate/index?page=content&id=KB87194&locale=en_US 

and we can exclude PCISTOR instead of the device instance id - do you think if I add this policy any impact ?

 

Thank you 

Mukesh

jsubbura
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: DLP Endpoint- Need to Block PCISTOR

Hi @mukesh13m ,

You can follow this article too, no impact in following this article, we advise you test the policies and then implement across other machines too.

https://kc.mcafee.com/corporate/index?page=content&id=KB87194&locale=en_US

 

Thank you

Regards,
Jithendran S
McAfee Employee
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community