Showing results for 
Show  only  | Search instead for 
Did you mean: 

Problems with Device Rules / Definitions

I am still having problems with blocking USB Storage Devices.

I have a rule set up that I think should block all USB Storage Devices EXCEPT ones that I have specifically allowed. However it is still blocking devices that I have allowed.

The rule INCLUDES Bus Type of USB

The rule EXCLUDES Devices that are in a list of allowed devices (defined by "USB Device Serial Number"). I have also had to add devices by "Device Instance ID" where DLP Monitor does not list the Serial Number. These are both contained in the same list, hopefully it works as an OR list.

So, a few questions -

Why are devices that are in my excluded list still being blocked?

In DLP Monitor, why do some devices not display a USB Serial Number?

Can I use the Device Instance ID instead? What exactly is the Device Instance ID?

When entering device parameters, what does "allow partial match" mean? I have seen that the last digit on the Device Instance ID sometimes changes.


5 Replies

Re: Problems with Device Rules / Definitions


What is your objective here? Is it to block all USB storage device (a USB device with a file system) or want to block all the USB device (any device with a USB bus type)? If you are worried about data loss then you should be blocking USB devices with file system rather than blocking devices with USB bus type only (like some USB keyboard, mouse with no storage).

Still if you want to block all devices with USB bus type, try to create definiton by taking the help of export device parameter feature in DLP 9.0 (check the product guide) and see if that helps!

The various options in the definiton work as "And" and various options within option work as "Or" -> like if you select bus type "USB" and file type "NTFS", that will work as "AND". But if you choose multiple options within option like USB bus, Bluetooth, Firewire etc, those work as "Or".

In majority cases I see the definiton is not defined correctly, so check your definiton for excluded devices carefully. As mentioned take the help of - export device parameters feature.

You can use device instance id. Try to use PID/VID instead.

Partial match means it will match a pattern from the whole word or sentence you are providing while checking.

- Amiya


Re: Problems with Device Rules / Definitions

What we're trying to do is completley block file access to USB memory sticks and cameras that aren't supplied by us, but allow access to devices supplied by us. We have been supplying them and entering thier USB serial number into a Removable Storage Definition list, thinking that all would be ok when we made our blocking rule live.

How would we define a USB device with a file system? How would we differentiate between known and unknown devices?

We can't use PID/VID because someone could purchase a device the same as we a supplying and use it.

We are using "export device parameters" to get the USB serial number and/or device instance id.

thanks so far,



Re: Problems with Device Rules / Definitions

When you are creating the device definiton:

Choose bus type USB and file system as NTFS, FAT etc (exclude CDFS and UDFS). - This should be universal USB with file type definiton that you want to block

Create specific definition for your excluded devices - When you use export parameter to create your definiton it exports everything. Try to fine-tune that a little bit by selecting the must need ones first, like USB bus type, serial numbers or other features you consider unique to the product.

Check your user assignment group also if you are including the right users!

- Amiya


Re: Problems with Device Rules / Definitions

I think we have finally got it sorted.

We have now created separate Removable Storage Device Definition lists, one containing devices' Device Instance IDs and one containing USB Device Serial Numbers.

We use both lists in one rule and devices seem to be being blocked/allowed correctly.

One thing that does seem to be happening however is that the Device Instance ID seems to change if the device is connected to a different PC - the last numbers in the chain change. Here is an example of a Samsung camera connected, in turn to two different PCs.



Is this behaviour expected? I have noticed that some Device Instance IDs contain USB Serial Numbers, but others succh as those above, do not.


Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 6

Re: Problems with Device Rules / Definitions

maybe that device does not have a fixed serial number at all, and Windows is just assigning one at random to it?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community