4 Replies Latest reply on Jul 15, 2013 6:48 AM by kearmaster

    Whitelist certain devices

    redbaron51

      Hi all,

       

      Question about DLP policies.

       

      Basically using our testing environment (ePO 4.5 Build 937), SQL 2005, Win2003SP2 all on same box.

       

      I have created a policy to block USB

       

      - bus type: USB

      - device: 08h - Mass Storage

       

      It works fine and blocks USB pen drives when I plug in to a PC.

       

      I am trying to add a whitelist to allow 'certain approved' USB pen drives, i.e., encrypted and provided by us.

       

      I have created a Whitelist Plug and Play Device Definition, Device Instance ID (advanced) and typed in everything I could see from device manager, i.e., USBSTOR\DISK&VEN_KINGSTON&PROD_DTVAULT_PRIVACY&REV_104\001BFCA..........

       

      I have then applied the policy. My question is

       

      1) Is this the way to enter a value for Instance ID?

       

      2) how long does it take to the client machine to receive this new policy? If I force a agent wakeup, does it pick up straightway?

       

      3) Not sure whether this is the best way to whitelist devices

       

      Comments are appreciated

        • 1. Re: Whitelist certain devices

          It sounds like you are on the right track.

           

          Try using a removable storage device definition to define your device with the device instance ID.  Use that with your device rule to block everything and set it to exclude your whitelisted group.

           

          If you didn't change the Agent policy in EPO, policy enforcement is every 5 minutes, agent to server communication is every hour.

           

          After enforcing the policy, sometimes the client machine might need a reboot if you are certain that everything looks ok.

           

          If all else fails, try using the option for "allow partial match" under the device instance setting.

           

          Hope that helps!

          • 2. Re: Whitelist certain devices
            redbaron51

            ajw

             

            thanks for your reply.

             

            It did work indeed. The only way to find out the correct USB Device ID was to go to DLP Monitor and check the devices which have been blocked. Then copy the info to notepad and feed the whitelist group.

             

            Getting the Device ID from Device Manager/Properties was not matching.

             

            Many thanks for taking your time to reply to my Q.

             

            rb51

            • 3. Re: Whitelist certain devices

              A bit of a late reply...

               

              Each USB device has a unique number, create a rule to allow devices by this number.

               

              If you block executables on removable devices, you will also need to whitelist the application that "decrypts" the USB device.

              • 4. Re: Whitelist certain devices

                In DLP 9.3 you will need to define a new Plug and Play Device Definition and select Bus Type (e.g. USB, PCI...) and USB Class Code of 08h - Mass Stroage.

                 

                Add a rule to block this definition

                 

                Now you will then be able to use the Whitelist Plug and Play Device Definition to exclude any devices by serial number or device ID etc.