I am using ePO 4.5 Patch 3 and Host DLP 9.0 Patch 1. The rule sets I am using is device control to set block or read-only on those removable devices.
I deployed DLP agent 9.0 Patch 1 to those workstations (Windows XP) and tested common used USB devices. While for the two types of Kingston DataTraveller USB thrumb drive with encryption application inside, which are Kingston DTVault Privacy and Kingston DTS series, if the logged on user does not have local administrator privilege, the encryption application cannot be launched and thus not able to make use of the encrypted drive.
While if the user has local administrator privilege, the encryption application can be launched successfully. In addition, if the DLP agent is removed, the encryption application is working even the user does not have local administrator privilege.
Does anyone has the similar problem on using third party USB encrypted device that can share? Since the problem exists right after installed DLP agent without any device control rule or content protection rule applied to the logged on user and the computer, seems it is the problem with the global agent configuration or default basic policy comes with DLP agent.
I have logged a call at McAfee and no workaround is received at the moment.
Thank you very much!
I have never come across this problem and I have used the USB sticks in question but that was with DLP 2 Patch 2 and 3, did you get a fix?
If not, it sounds like a permissions issue if you haven't set any rules within DLP. I would use something like Filemon (ProcessMon) from sysinternals to find out where the permissions fault is.
Thanks your sharing. I have tried installing standalone version of HDLP 2.2 agent (since the server side is already 9.0 that cannot be reverted to 2.2). And the encryption program on Kingston can be used on HDLP 2.2. Seems the problem happens on 9.0 / 9.1 agent version but not on 2.2.
Would you have the source of 9.0 HDLP agent that can install on a testing machine to see if it is the version issue?
Thanks so much.
I have DLP 9 Patch 1, but I need to get hold of the sticks. I'll try and get a user to drop one in for me today.
May I have your result on DLP 9.0? Is the encrypted Kingston USB working on this version?
The user never turned up, I'll try and chase them today we don't have anymore in stock at moment.
I can't get hold of one today, have you tried using the sysinternals tool to check the access denied.
Its really easy to use and once you have captured the data you can simply search for denied.
Finally I find out the setting that triggers the error. In device class, I have set 'HID' to Managed as I may control the use of input device such as keyboard mouse. Once it has been set to 'Managed', it has conflict to the encryption tool on USB thrumb drive.
In order to allow use of USB input device, I use predefined HID in USB Class Code instead. And I think it may have protential problem if enable some device classes from default 'Unmanaged' to 'Managed'.