cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Whitelist certain devices

Jump to solution

Hi all,

Question about DLP policies.

Basically using our testing environment (ePO 4.5 Build 937), SQL 2005, Win2003SP2 all on same box.

I have created a policy to block USB

- bus type: USB

- device: 08h - Mass Storage

It works fine and blocks USB pen drives when I plug in to a PC.

I am trying to add a whitelist to allow 'certain approved' USB pen drives, i.e., encrypted and provided by us.

I have created a Whitelist Plug and Play Device Definition, Device Instance ID (advanced) and typed in everything I could see from device manager, i.e., USBSTOR\DISK&VEN_KINGSTON&PROD_DTVAULT_PRIVACY&REV_104\001BFCA..........

I have then applied the policy. My question is

1) Is this the way to enter a value for Instance ID?

2) how long does it take to the client machine to receive this new policy? If I force a agent wakeup, does it pick up straightway?

3) Not sure whether this is the best way to whitelist devices

Comments are appreciated

1 Solution

Accepted Solutions
ajw
Level 7
Report Inappropriate Content
Message 2 of 5

Re: Whitelist certain devices

Jump to solution

It sounds like you are on the right track.

Try using a removable storage device definition to define your device with the device instance ID.  Use that with your device rule to block everything and set it to exclude your whitelisted group.

If you didn't change the Agent policy in EPO, policy enforcement is every 5 minutes, agent to server communication is every hour.

After enforcing the policy, sometimes the client machine might need a reboot if you are certain that everything looks ok.

If all else fails, try using the option for "allow partial match" under the device instance setting.

Hope that helps!

4 Replies
ajw
Level 7
Report Inappropriate Content
Message 2 of 5

Re: Whitelist certain devices

Jump to solution

It sounds like you are on the right track.

Try using a removable storage device definition to define your device with the device instance ID.  Use that with your device rule to block everything and set it to exclude your whitelisted group.

If you didn't change the Agent policy in EPO, policy enforcement is every 5 minutes, agent to server communication is every hour.

After enforcing the policy, sometimes the client machine might need a reboot if you are certain that everything looks ok.

If all else fails, try using the option for "allow partial match" under the device instance setting.

Hope that helps!

Re: Whitelist certain devices

Jump to solution

ajw

thanks for your reply.

It did work indeed. The only way to find out the correct USB Device ID was to go to DLP Monitor and check the devices which have been blocked. Then copy the info to notepad and feed the whitelist group.

Getting the Device ID from Device Manager/Properties was not matching.

Many thanks for taking your time to reply to my Q.

rb51

Re: Whitelist certain devices

Jump to solution

A bit of a late reply...

Each USB device has a unique number, create a rule to allow devices by this number.

If you block executables on removable devices, you will also need to whitelist the application that "decrypts" the USB device.

Re: Whitelist certain devices

Jump to solution

In DLP 9.3 you will need to define a new Plug and Play Device Definition and select Bus Type (e.g. USB, PCI...) and USB Class Code of 08h - Mass Stroage.

Add a rule to block this definition

Now you will then be able to use the Whitelist Plug and Play Device Definition to exclude any devices by serial number or device ID etc.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community