Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 9
Report Inappropriate Content
Message 1 of 3

Is it possible to Block usb a device after a number of malware detections happened?

Not sure if possible or if anyone ever tried.

I would like to block the current plugged device on a computer in the event that Malware has been detected (or multiple times within a defined time) at that device. So this is a combination of DLP, AV, policy's and automatic responses I guess, but I haven't found anything yet.

Preferable the user shall get an on-screen notification and the EPO administrator an email.

We usually allow USB devices for some computer assignment groups, but I would like to have an immediate response and action in the event that device is infected.



2 Replies
Level 11
Report Inappropriate Content
Message 2 of 3

Re: Is it possible to Block usb a device after a number of malware detections happened?

Yes it should be possible.

Open your DLP Policy console, add a new Removable Media Storage Device rule. Configure that rule to include any USB device (device definition) and set the action to block (don't assign it to any group for now).

Create a new automatic response for threat events. In the filter, you can specify the following:

Detecting product name: VirusScan

Threat Category: Malware

Threat Handled equals False (optional).

This will force automatic responses to trigger when a malware event isn't handled (when not removed by the antivirus).

In the actions, select Run System Command and assign the newly created policy to that host.

Add another action, select Run System Command again and select Wake Up (to force the policy update on the client).
Add another action, select Send Email and configure the email to be sent (make sure that you have an email server configured under your Server Settings).

VirusScan should alert the user automatically upon detecting a malware (if configured in the alert policy).

On top of these actions, you can create new "Access Protection" Virus Scan policies and prevent the machine from communicating via HTTP/FTP and also lock shares. Then assign this policy using the automatic response tool. I would also recommend adding an on demand scan task to your list of actions.

Hope this helps

Level 9
Report Inappropriate Content
Message 3 of 3

Re: Is it possible to Block usb a device after a number of malware detections happened?

Thanks bblanchard,

I do have already an automatic response for the malware event that isn't handled. I will use that to trigger the policy enforcement

At this time I don't want to go any further in restricting the access, but keeping it in mind.


You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community