Not sure if possible or if anyone ever tried.
I would like to block the current plugged device on a computer in the event that Malware has been detected (or multiple times within a defined time) at that device. So this is a combination of DLP, AV, policy's and automatic responses I guess, but I haven't found anything yet.
Preferable the user shall get an on-screen notification and the EPO administrator an email.
We usually allow USB devices for some computer assignment groups, but I would like to have an immediate response and action in the event that device is infected.
Yes it should be possible.
Open your DLP Policy console, add a new Removable Media Storage Device rule. Configure that rule to include any USB device (device definition) and set the action to block (don't assign it to any group for now).
Create a new automatic response for threat events. In the filter, you can specify the following:
Detecting product name: VirusScan
Threat Category: Malware
Threat Handled equals False (optional).
This will force automatic responses to trigger when a malware event isn't handled (when not removed by the antivirus).
In the actions, select Run System Command and assign the newly created policy to that host.
Add another action, select Run System Command again and select Wake Up (to force the policy update on the client).
Add another action, select Send Email and configure the email to be sent (make sure that you have an email server configured under your Server Settings).
VirusScan should alert the user automatically upon detecting a malware (if configured in the alert policy).
On top of these actions, you can create new "Access Protection" Virus Scan policies and prevent the machine from communicating via HTTP/FTP and also lock shares. Then assign this policy using the automatic response tool. I would also recommend adding an on demand scan task to your list of actions.
Hope this helps
I do have already an automatic response for the malware event that isn't handled. I will use that to trigger the policy enforcement
At this time I don't want to go any further in restricting the access, but keeping it in mind.