cancel
Showing results for 
Search instead for 
Did you mean: 
adpspt
Level 9

Problem with Device Control on virtual machines connected via zeroclient

Jump to solution

Hallo,

I have the problem that we are using DLP 9.1 with EPO 4.5 and have the problem that when we use in DLP USB sticks with serial nummer they are not working through zeroclient on virtual machine.

We have configured rules in the DLP Device controll that it is only allowed to use usb sticks which are content encrypted and where the serialnumber is registered in the DLP.


This is working fine on normal physical Laptops but if i use the same USB Stick on my zeroclient which got a virtual vmware machine than the stick got allways blocked.
I also tried to register the stick not by serialnumber and used the VID and the PID but also this have the same result that the stick got blocked.


If i disable all rules in Device controll the stick got mapped from zeroclient to the virtual machine without problem.
Can you help use or is there any well known practise for using device controll with virtual machines?

best regards

0 Kudos
1 Solution

Accepted Solutions
adpspt
Level 9

Re: Problem with Device Control on virtual machines connected via zeroclient

Jump to solution

Hallo,

so we found the Problem.

The reason why in the virtual machine there is no SN of the stick we could not solve but for this we are in contact with zeroclient vendor teradici.

The reason why the instance id of the stick and the PID or VID where not working was a problem in the permission set for the users who applied the policy to EPO.

The DLP Policy showed that it applyed the rules and also show it later when you loggon but it was just on the configuration screen that this rules are configuried when you use in DLP POLICY the Import configuration from EPO server than it loads the config which is realy in use and so we saw that when we configured the USB Stick via VID PID or device instance it was never written to the EPO Server and never applied to the virtual machine :-)

best regards maybe this is helpful for somebody

8 Replies
SafeBoot
Level 21

Re: Problem with Device Control on virtual machines connected via zeroclient

Jump to solution

I don't think this will work - the host OS that has DLP installed never gets to see the stick in the VM - the VMWare driver is connecting the guest OS directly to the hardware.

0 Kudos
adpspt
Level 9

Re: Problem with Device Control on virtual machines connected via zeroclient

Jump to solution

When i execute in the VM where the USB is pluged in via the zeroclient and i use a tool like usbview(to read the SN or PID or VID) i can see the PID and the VID but not the SN.

On a physical laptop i can see the PID VID and SN. So there must be a chance or a way of configuration to work with that PID and VID from the usb stick?

The DLP also recognize the Vmware USB Hub and i put this to the whitelist devices and it got only monitored and not blocked.

0 Kudos
virgona
Level 9

Re: Problem with Device Control on virtual machines connected via zeroclient

Jump to solution

Add a new "Removable Storage Device Rule" with USB bus checked Device Defination checked, and enable "monitor" action. Plug your usb stick in and make sure your vm finds it, then go to DLP Monitor to check the device details from event detected.

Maybe mapped USB device is not very same as the physical one, find the similarity of both the define the block rule.

0 Kudos
adpspt
Level 9

Re: Problem with Device Control on virtual machines connected via zeroclient

Jump to solution

Hallo,

sure i checked also the DLP Monitor and this is what is quaite strange for me because the serial number on the VM is not show so it is clear i can not use it but why it is not working with the VID or PID or with DeviceClass?

In the Mcafee log the PID and VID is not shown not for physcial and not for the VM but with the tool "usbdeview" you see on both machines the same VID and PID numbers.

Here are so details what the DLP Log show for the physical laptop and for the zeroclient the same usb stick is used:

Log from Zeroclient

Device Class GUID:   4D36E967-E325-11CE-BFC1-08002BE10318

Device Class Name:   Disk drives

Device Name:   Kingston DataTraveler G3 USB Device

Device Compatible ID:   USBSTOR\Disk

Device Instance ID:   USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_G3&REV_1.00\001CC0EC303CFC70C59D2562&0

USB Serial Number:   PCoIPUSB_0001

Volume Serial Number:   3A84-8FD1

Log from Physical Client

Device Class GUID:   4D36E967-E325-11CE-BFC1-08002BE10318

Device Name:   Kingston DataTraveler G3 USB Device

Device Compatible ID:   USBSTOR\Disk

Device Instance ID:   USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_G3&REV_1.00\001CC0EC303CFC70C59D2562&0

USB Serial Number:   001CC0EC303CFC70C59D2562

USB Class:   08h - Mass Storage

Volume Serial Number:   3A84-8FD1

Best regards

0 Kudos
virgona
Level 9

Re: Problem with Device Control on virtual machines connected via zeroclient

Jump to solution

Make sre the status of the Device Class is Managed.

And I suggest you just use the info listed from DLP Monitor, because we cannot know what is the exactly value of non-listed parameters. For your case, try "Device name" or/and "Device Instance ID".

Don't be entangled with no SN on vm or others missing, it should be because of vmware does not transfer the parameters, or McAfee DLP does not detect them.

0 Kudos
adpspt
Level 9

Re: Problem with Device Control on virtual machines connected via zeroclient

Jump to solution

Ok sorry i just not copied the VID and the PID but the Monitor shows the VID and PID for the physical Laptop and for the VM. Thats why i tried it with VID PID and also with Device Instance ID. The Device name is also not working.

The only what is working is when i am using the "Volume Serial Number: " than it works in the VM and the Stick is not blocked.

Now i would like to know why only Volume Serial Number: is working but not the other thing? Where is the differenze or why DLP show it in the Monitor but by executing the rules on the client it does not work?

0 Kudos
adpspt
Level 9

Re: Problem with Device Control on virtual machines connected via zeroclient

Jump to solution

Hallo,

so we found the Problem.

The reason why in the virtual machine there is no SN of the stick we could not solve but for this we are in contact with zeroclient vendor teradici.

The reason why the instance id of the stick and the PID or VID where not working was a problem in the permission set for the users who applied the policy to EPO.

The DLP Policy showed that it applyed the rules and also show it later when you loggon but it was just on the configuration screen that this rules are configuried when you use in DLP POLICY the Import configuration from EPO server than it loads the config which is realy in use and so we saw that when we configured the USB Stick via VID PID or device instance it was never written to the EPO Server and never applied to the virtual machine :-)

best regards maybe this is helpful for somebody

Regis
Level 12

Re: Problem with Device Control on virtual machines connected via zeroclient

Jump to solution

I've seen this as well with WYSE terminals connecting to VMWare Vsphere virtual infrastructure.

In the cases where no serial is being sent, I have had to whitelist or do policy based on Instance ID's instead.   It's a pain.

0 Kudos