Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 7
Report Inappropriate Content
Message 1 of 11


     We are using the latest version of EPO and DLP  to manage USB Drives.  I have the rules configured so that all USB drives get blocked, unless I allow a specific storage device.  We just received two brand new Canon Power Shot Elph Cameras.  These cameras don't come up as an USB storage device but as a Plug and Play device.  This allows the user to plug the device in and get to the SD card and bypassing the USB Storage Rules Block.  When I called McAfee the only help the tech could provide was to create a PNP Rule that blocks the Power Shot Camera from being accessed thru USB.  The problem with this is the SD Card is now not available.  I was told that I would have to use some type of Card Reader that would see the SD Card as storage.

     With more storage devices showing up as PNP devices, we are losing faith in the DLP technology to be able to protect our Network from intrusions and the ability to protect our Data.  If one of the purpose's of DLP is to protect data then why do they allow PNP devices with storage to access to USB without some kind of filter.  This event also led me to wonder how many more people in our environment are plugging in what I would call storage devices but McAfee classifies as PNP devices.

10 Replies
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 11


Are you using host dlp, or are you using device control? The sophistication is very different between the two.

what you have bought is, in effect a USB sd card reader - it's not a USB stick. The two are architecturally very different. Thus you need to control the sd card reader device at the Pnp level, wheras you control usb storage differently.

a Sd card reader is as different to a usb stick as a dvd drive, or USB connected sound card.

Level 13
Report Inappropriate Content
Message 3 of 11


The flaw would be in the logic used and a limited understanding of the product and not necessarily the product itself.

I also agree with SafeBoot in that the architecture is different and needs to be addressed appropriately.

If the requirement is to block all USB devices, and the definition includes only USB bus type, then to me it seems the product is working as expected.

If the requirement is to block or read-only removable storage devices (irrespective of the bus with a focus on the storage part), create the definition to include File System based parameters (Type or Access). This will ensure that irrespective of how the storage device connects to the computer DLPe will enforce the block or read-only based on File System.

PnP rules are enforced at a lower level, before the file system is mounted. Based on definition, you will block a lot more unintended devices. You would want to understand how this rule works and test them in a test environment before using them.

RSD rules are enforced after the device file system mounts.

Level 10
Report Inappropriate Content
Message 4 of 11



I would like to offer some actual assistance on this.

Can you find the excerpt from your where the camera mounts and the SD card?

Also, try reading this thread to see if it offers any help

You may have to use something like Compatible ID or Hardware ID to fully restrict these things down.

I also think its sad that McAfee doesnt offer any sort of whitepapers or how-to's on very common items like MTP devices, SD cards, wireless 3G modems..etc...these are very common devices and DLP can block them....and I would think it would be a great advertisement for the product itself.

Level 11
Report Inappropriate Content
Message 5 of 11



Support donny!

For many months, we can't block all pnp devices. I checked unmanaged devices, there is no mine. My problem is as follows: McAfee no description: how to block all USB devices. I tried to place devices such as USB controllers, etc. unmanaged GUID. But, some models of smartphones, I think that Nokia Lumia) have GUID is the GUID of the USB controller. It turns out that these smartphones have ceased to be tracked. If on the contrary, to block USB controller GUID, laptops stop working mouse, because they are connected to the USB controller. Support habitually silent. I have 30 requests assistance was provided by 3. 10% - a very high figure for McAfee. If the task is not solved, then you need to write to get people to switch to other DLP with fewer problems during installation and configuration.

We hope for your understanding on the part of McAfee.

My guide can't wait endlessly and in the near future will seek to similar products. As for the incompetence of my colleagues, referenced technical support - anywhere in any document McAfee is not written, what to use and configure the system can only certified (trained professionals).


Level 11
Report Inappropriate Content
Message 6 of 11


Attempts to block USB device ID vendor/device is unimaginable crutches. As far as I know - world practice of information security involves the creation of a black list, which includes EVERYTHING! If you want to allow something, it is permitted to a specific user, a specific action. Why antivirus calmly define removable media and scan it, and then when the device is connected, there are several (1 to 4 security incidents)? DLP that work on other physical principles?

Level 10
Report Inappropriate Content
Message 7 of 11



You can block USB sticks and external drives using a Removable Storage rule....that is the easiest way.

However, Phones and Ipads...etc...seem to mount as MTP Devices or sometimes as Removable Storage.

I use a PnP rule for Windows Portable Devices with "MTP" in the Device Name to catch those....Just create a PnP rule and set it to Monitor Mode and you should be able to catch these pretty quickly and refine your Device Definition.

For example:

Device Class Name:

Portable Devices

Device Compatible ID:


Device Instance ID:


For example, this is a Samsung Galaxy S2...if you create a device definition using only the Device Compatible ID can wipe these out....but its going to miss Apple devices because their Device Compatible ID is

Device Compatible ID:


but the Device name for both the Apples and Samsungs is

Device Name:

MTP USB Device

So kill them both using solely the Device Name containing "MTP"

Level 11
Report Inappropriate Content
Message 8 of 11


Hi, epository!

I was doing about what You have to offer. But I need to block all unauthorized devices. I have, for example, 10 registered sticks, which I bought at the nearest shop, but the rest if the connection should be blocked.

I'm having the following problem. Most removable devices (smartphones, camera,...) are defined GUID:


This GUID is not an MTP device, but the USB bus. To this class of devices includes extenders and splitters USB hubs and USB hubs. I need to block the connection of all removable devices, but if I block this GUID, laptops off the mouse, although they are uncontrolled device class (somewhere at McAfee I read that if the devices are not controlled, and are not blocked. They do not guess or enter all confusing: my workers with laptops lined up, saying that their mouse is disconnected). If I block this GUID on computers, then after a couple of seconds after applying the policy, you receive a blue screen of death. I was very pleased to see him!!!!!

Only, in my opinion, the ability to block all removable media: first manually to drive in DLP Endpoint settings USB hub, USB camera, USB drives and other devices. This is done only manually (discharge incident to a file and import file information cannot be considered automation)!!! And this in 2015!!! This can be done only in monitor mode. And only then add all other devices in the lock mode!!! This must be done separately and manually for each computer. How developers can imagine it, I don't understand.

In General, the problem of locking unchecked (disabled) PnP is another omission McAfee.

I'm ready to take it back, if I will offer (will explain, show) way to block ALL unregistered PnP devices.

Level 9
Report Inappropriate Content
Message 9 of 11


I was able to easily setup MTP and PTP blocking using the device compatible ID's.  The rule is setup as a "Plug and Play Device Definition" with only the "Device Compatible ID (Advanced)" selected and the two ID's are "USB\MS_COMP_MTP" and "USB\CLASS_06&SUBCLASS_01&PROT_01".

Level 10
Report Inappropriate Content
Message 10 of 11



I recommend you create definitions and rules to block 1 device at a time.

and don't use GUID as your defining factor.

i.e  for USB

create a device definition for USB

Use this in a Removable Storage rule

i.e. for MTP devices.

create a device definition for USB AND Device Name contains "MTP"

Use this in a Plug and Play Windows Portable Device Rule

i.e. Firewire and Bluetooth

I lumped these two together just to save time in a single definitions

Then create a User Access Group that includes Everyone and Local User...but excludes whatever Security Group you will grant access for USB.

If your work expects you to block everything....its hard to do unless they give you testing equipment...

Also, I created a Removable Storage Protection rule to copy the name of every file copied off to USB...etc as well.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community