cancel
Showing results for 
Search instead for 
Did you mean: 
mcafeee
Level 7
Report Inappropriate Content
Message 1 of 10

Policy advice

Hi,

Can someone please advise, on a policy to do the following:

Monitor all objects plugged into the USB bus and report them to DLP Monitor.

Block .exe from running on USB flash drives.

Thanks!!

9 Replies

Re: Policy advice

You need to create 2 different rules:

One for USB device monitoring and another for File access protction rule..

Create usb definiton (choose bus type - USB) - > create removable storage rule - > monitor only -> assignment group -> enable rule

Check this out for the file access protection :

http://community.mcafee.com/message/136196#136196

- Amiya Bisoi

mcafeee
Level 7
Report Inappropriate Content
Message 3 of 10

Re: Policy advice

all seems to be working ok to a point now, DLP monitor doesnt report any file names though when theyve ben copied to USB devices etc. - should this be the case (ive set this up with a protection rule)?

Message was edited by: mcafeee on 08/07/10 03:59:58 CDT

Re: Policy advice

I can't recollect on top of my head. Try to enforce block rule on few users and see if you get a trace of file name in DLP monitor!

- Amiya

mcafeee
Level 7
Report Inappropriate Content
Message 5 of 10

Re: Policy advice

thanks for the reply - we've tried that but still no trace of a file name!

we ideally want to monitor any files copied between USB keys etc.

Re: Policy advice

Is there an option for storing evidence? If yes - do you have a tick mark for that?

Give a quick try for monitoring specific files rather than all files and see if you see any changes! That seems to be un-usual not getting the file trace in monitor.

- Amiya

mcafeee
Level 7
Report Inappropriate Content
Message 7 of 10

Re: Policy advice

ill give the store evidence tick box a go, though we dont actually want to copy anything to the \\...\evidence$ share, just monitor the file name!

Thanks

mcafeee
Level 7
Report Inappropriate Content
Message 8 of 10

Re: Policy advice

ive tried the store evidence option now, and it works a charm, can see the filename

we dont want to be storing evidence though, is there anyway around this?       

Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 9 of 10

Re: Policy advice

No, there's no way to capture just the file name without capturing the file as well.

The file name on it's own is really not enough for any investigation - what if someone just renamed every sensitive file to a benign name? You'd think your rule was broken if all the files were called "lunch menu.docx".

Re: Policy advice

thanka for the response, we've kinda got a workaround now though...we've changed the agent to hit-highlighting in agent config and its just grabbing the file name now.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community