cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee DLP - Device Control Rule - Encrypted External Hard Disk

Jump to solution

Hi,

I have difficulty creating a DLP policy which blocked all USB Storage devices except a specifical Encrypted External Hard Disk (by using the USB Serial Number).
I use the McAfee technical Article "KB86007" to define this DLP policy.

The problem is as follows : McAfee Device Control is unable to retrieve the USB Serial Number of this equipment, In McAfee ePolicy Orchestrator Admin Console > DLP Incident Manager,
There is no "USB Serial Number" line in additional information (see below).

(DLP Incident Manager)

Device Friendly Name :  BULL TRUSTWAY DISK USB Device
Device Class Name:      Disk drives
Device Class GUID :     {4D36E967-E325-11CE-BFC1-08002BE10318}
Compatible ID:          USBSTOR\Disk
Instance ID :           USBSTOR\DISK&VEN_BULL&PROD_TRUSTWAY_DISK&REV__\7&EE3DD43&0&81328-2020005664&0
Bus Type:               USB
USB Class:              Mass Storage
Device Plug UTC Time:   August 17, 2018 9:17:20 AM
Device Plug Local Time: August 17, 2018 11:17:20 AM
File System Access      Read/Write
File System Type:       NTFS
Volume Label:  GLOBULL
Volume Serial Number:   10EF-80D7
USB (VID/PID Codes):    04CC-1A24

My Device Control Rule works if I use the Volume Serial Number or the USB(VID/PID Codes) but it is not my target.

Additional Information concerning this Encrypted External Hard Disk :

- My Device Control Rule doesn't work if I use its serial number  (information obtained using the usbdeview tool)
- To access data of the disk, the user needs to enter his PIN code (from the touch screen of the BULL TRUSTWAY DISK USB Device)

- The user needs enter his PIN code to mount the disk drive.
- Technical descrption of the BULL TRUSTWAY DISK USB Device : https://atos.net/en/products/cyber-security/data-encryption/trustway-globull-encrypted-external-driv...
Additional Information concerning my Test Environment :

1 McAfee ePolicy Orchestrator Server (version 5.3.2)
1 Laptop with Windows 10 + McAfee Agent 5.5.1 / McAfee DLP 11.0.4 / McAcfee ENS 10.5

Have you ever seen this type of problem ?

Is there a solution to manage this equipment, with McAfee DLP, by using the USB Serial Number ?


Best Regards,

Thomas

1 Solution

Accepted Solutions
Highlighted
McAfee Employee nyeshoda
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: McAfee DLP - Device Control Rule - Encrypted External Hard Disk

Jump to solution

This might be more realted to identification of the correct serial number or Device ID. Please use the below options available to get the device ID.

Solution

To collect the required Device ID on Windows 2008:
  1. Insert the USB device.
  2. Access the Windows Control Panel.
  3. Open the Device Manager.
  4. Expand Disk Drives and locate the USB device.
  5. Right-click the device and select Properties.
  6. Click the Details tab, click the Property drop-down list, and select Device Instance Path.
  7. Right-click on the path, select copy, and then paste to a text file. 
     
    The listed value for Device Instance Path is the Device ID
Solution
To collect the required Device ID on Windows 7:
  1. Insert the USB device.
  2. Launch Windows Explorer.
  3. Right-click Computer and select Properties.
  4. Under Control Panel Home, double-click Device Manager.
  5. Expand Disk Drives and locate the USB device.
  6. Right-click the device and select Properties.
  7. Click the Details tab, click the Property drop-down list, and select Device Instance Path.
  8. Right-click on the path, select copy, and then paste to a text file. 
     
    The listed value for Device Instance Path is the Device ID

 

View solution in original post

Tags (1)
2 Replies
Reliable Contributor SCtbe
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: McAfee DLP - Device Control Rule - Encrypted External Hard Disk

Jump to solution

Basing on how DLP recoginze serial numbers (quote form DLP 11 Product Guide):

A unique alphanumeric string assigned by the USB
device manufacturer, typically for removable storage
devices. The serial number is the last part of the
instance ID.
Example:
USB\VID_3538&PID_0042\00000000002CD8
A valid serial number must have a minimum of 5
alphanumeric characters and must not contain
ampersands (&). If the last part of the instance ID does
not follow these requirements, it is not a serial number.
You can enter a partial serial number by using the comparison Contains  rather than Equals.

Now looking on your instance ID:

Instance ID :           USBSTOR\DISK&VEN_BULL&PROD_TRUSTWAY_DISK&REV__\7&EE3DD43&0&81328-2020005664&0

as a serial number should be considered:

81328-2020005664

but I'm not sure if '-' is allowed in terms of DLP, so the last sentence form abouve quotation from Product Guide could be your solution.

Highlighted
McAfee Employee nyeshoda
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: McAfee DLP - Device Control Rule - Encrypted External Hard Disk

Jump to solution

This might be more realted to identification of the correct serial number or Device ID. Please use the below options available to get the device ID.

Solution

To collect the required Device ID on Windows 2008:
  1. Insert the USB device.
  2. Access the Windows Control Panel.
  3. Open the Device Manager.
  4. Expand Disk Drives and locate the USB device.
  5. Right-click the device and select Properties.
  6. Click the Details tab, click the Property drop-down list, and select Device Instance Path.
  7. Right-click on the path, select copy, and then paste to a text file. 
     
    The listed value for Device Instance Path is the Device ID
Solution
To collect the required Device ID on Windows 7:
  1. Insert the USB device.
  2. Launch Windows Explorer.
  3. Right-click Computer and select Properties.
  4. Under Control Panel Home, double-click Device Manager.
  5. Expand Disk Drives and locate the USB device.
  6. Right-click the device and select Properties.
  7. Click the Details tab, click the Property drop-down list, and select Device Instance Path.
  8. Right-click on the path, select copy, and then paste to a text file. 
     
    The listed value for Device Instance Path is the Device ID

 

View solution in original post

Tags (1)
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community