Showing results for 
Search instead for 
Did you mean: 

DLP - In General

USB blocking - how can this be implemented?

Do we really need the VID and PID of each device?

Can we restrict these devices to domain users or single machines?

I have gone thru the training, but I am afraid the implementation plan I have conceived is not the most efficient and the amount of hand-jamming I am prediciting........

Anyone successfully implemented DLP and got any tips on pre-implementation?

Also, USBView, where do we get that software?

5 Replies

Re: DLP - In General


Was told that DCM should only be used for USB devices since it uses IIS for some portion of it i.e. Bluetooth/Firewire blocking may not work because ePo uses Apache.

Also, DCM can be added to your standard desktop baseline, but DCM is not supported for server platforms.....yet.

Recommend people wanting to disable wireless/Bluetooth/Firewire investigate the devcon utillty from Microsoft.....especially if you have a large environment.  Perhaps implement it in a startup script.

Level 12
Report Inappropriate Content
Message 3 of 6

Re: DLP - In General

I'm not a product expert but I've moved this thread to the Host DLP area as opposed to the group, so that this thread would get more visibility. Should it go in Network DLP?


Re: DLP - In General

What data protection s/w you are using exactly?

You can control your USBs in many ways! The main thing is you want to monitor what type of USBs are used in your organization or you want to protect data which can be copied to an USB. If you are concerned about data then you have to go with a definition which tells DLP - look for USBs with file system.

VID/PID is used when you are particular about bloicking a specific type of devices.

Hope that clarifies!

- AB

Re: DLP - In General

We are using DCM which is a scaled down version of DLP in that it only allows device type restrictions.

We are rolling out our rules on top of a GPO that disables/enabled USB storage on specific computers.

The DCM rules will actually go out over that and allow by serial number but because of the way and size of our Enterprise, locking devices down to a specific machine isnt very feasible.

It looks like we are just going to go by a serial number whitelist that lets all exempted devices work on every exempted machine.

Wish there were a bit more granularity i.e. Policy creation for DCM would have fields for specific machines and serial number of device and logged on user....etc.  Instead of entering serial numbers, adding the rule to policy then applying the policy to a group of machines.

Not user friendly.

Message was edited by: epository on 4/1/10 11:52:31 AM CDT

Re: DLP - In General

If you want to go for a group of machines rather than users - you can apply computer based policies from the directory tree...You can apply the rules to group of systems or a single of users or a single user.....

Still looking for granular

- AB

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator