8 Replies Latest reply on Jun 29, 2011 10:12 AM by cdobol

    U3 Device Not Being Detected as Removable Mass Storage

    cdobol

      I am running Data Loss Prevention 9.1.0.522 and I'm seeing a strange issue.  The storage part of the U3 appears to be going undectected.... Meaning I have a read only rule for removable mass storage which works fine with other devices except the U3.  I am able to write to the U3 which obviously not good.

       

      Anyone see this before?  Any resolutions?

       

      Thanks.

        • 1. Re: U3 Device Not Being Detected as Removable Mass Storage
          cdobol

          This is interesting - I think the data partition (the are 2 partitions... 1 CD - 1 Data) is showing up as a DVD/CD-ROM Drive.  Will try to block this device with this information.

           

          Event Generated Time (Endpoint):   6/28/2011 11:24:57 AM

          Event Generated Time (UTC):   6/28/2011 3:24:57 PM

          Associated Rules:   Monitor External Devices (not Mass Storage)

          Computer Name:   W-D8XVGCK1

          Agent Action(s):   Monitor

          Agent Version:   9.1.0.522

          Policy Name:   DLP Security Policy

          Policy Time (UTC):   6/28/2011 3:21:59 PM

          Connection State:   Online

          Device Class GUID:   4D36E965-E325-11CE-BFC1-08002BE10318

          Device Class Name:   DVD/CD-ROM drives

          Device Name:   SanDisk U3 Cruzer Micro USB Device

          Device Compatible ID:   USBSTOR\CdRom

          Device Instance ID:   USBSTOR\CDROM&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_3.27\000017F9AC6254D9&1

          Bus Type:   USB

          USB Serial Number:   000017F9AC6254D9

          • 2. Re: U3 Device Not Being Detected as Removable Mass Storage
            cdobol

            Additonal information... I monitored additonal non-mass storage devices and this appears to the 'mass storage'.  Is there a way to to tell DLP this is a mass storage device?  Something isn't quite right with the U3 and DLP...

             

             

            Event Generated Time (Endpoint):   6/28/2011 12:06:26 PM

            Event Generated Time (UTC):   6/28/2011 4:06:26 PM

            Associated Rules:   Monitor External Devices (not Mass Storage)

            Computer Name:   W-D8XVGCK1

            Agent Action(s):   Monitor

            Agent Version:   9.1.0.522

            Policy Name:   DLP Security Policy

            Policy Time (UTC):   6/28/2011 4:02:24 PM

            Connection State:   Online

            Device Class GUID:   36FC9E60-C465-11CF-8056-444553540000

            Device Class Name:   Universal Serial Bus controllers

            Device Name:   USB Mass Storage Device

            Device Compatible ID:   USB\CLASS_08&SUBCLASS_06&PROT_50

            Device Instance ID:   USB\VID_1177&PID_0824\5&9C1F75F&0&1

            Bus Type:   USB

            Vendor ID:   1177

            Product ID:   0824

            USB Class:   08h - Mass Storage

            • 3. Re: U3 Device Not Being Detected as Removable Mass Storage
              cdobol

              I opened a SR with McAfee on this - I would expect if this was wide spread someone else had to encounter this.  Maybe its something with our corporate setup.  In any case I will post what I find.

               

              In summary

               

              the U3 data partition randomly shows up as a mass storage device or a USB serial controller.  When it shows up as a serial controller our read-only mass storage rules do not apply.... not good.

               

              This is the way the U3 device should show up....
              Event Generated Time (Endpoint):   6/29/2011 8:28:04 AM
              Event Generated Time (UTC):   6/29/2011 12:28:04 PM
              Associated Rules:   Monitor All RMSD-CD, ReadOnly All RMSD-CD
              Computer Name:   W-D8XVGCK1
              Agent Action(s):   Monitor, Block Write
              Agent Version:   9.1.100.1
              Policy Name:   DLP Security Policy
              Policy Time (UTC):   6/29/2011 12:05:27 PM
              Connection State:   Online
              Device Class GUID:   4D36E967-E325-11CE-BFC1-08002BE10318
              Device Class Name:   Disk drives
              Device Name:   SanDisk U3 Cruzer Micro USB Device
              Device Compatible ID:   USB\CLASS_08&SUBCLASS_06&PROT_50
              Device Instance ID:   USBSTOR\Disk&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_3.27\000017F9AC6254D9&0\{53f5 6307-b6bf-11d0-94f2-00a0c91efb8b}
              Bus Type:   USB
              Vendor ID:   0781
              Product ID:   5406
              USB Serial Number:   000017F9AC6254D9
              USB Class:   08h - Mass Storage
              Device File-System Access:   Read - Write
              Volume Serial Number:   B22E-D39E
              Device File System Type:   FAT32


              This is the way it shows up when our read-only rules don't work....
              Event Generated Time (Endpoint):   6/29/2011 8:28:49 AM
              Event Generated Time (UTC):   6/29/2011 12:28:49 PM
              Associated Rules:   Monitor External Devices (not Mass Storage)
              Computer Name:   W-D8XVGCK1
              Agent Action(s):   Monitor
              Agent Version:   9.1.100.1
              Policy Name:   DLP Security Policy
              Policy Time (UTC):   6/29/2011 12:05:27 PM
              Connection State:   Online
              Device Class GUID:   36FC9E60-C465-11CF-8056-444553540000
              Device Class Name:   Universal Serial Bus controllers
              Device Name:   USB Mass Storage Device
              Device Compatible ID:   USB\CLASS_08&SUBCLASS_06&PROT_50
              Device Instance ID:   USB\VID_0781&PID_5406\000017F9AC6254D9
              Bus Type:   USB
              Vendor ID:   0781
              Product ID:   5406
              USB Serial Number:   000017F9AC6254D9
              USB Class:   08h - Mass Storage

              • 4. Re: U3 Device Not Being Detected as Removable Mass Storage
                exbrit

                I'll throw my 2¢ worth in here and then butt out as I'm not knowledgeable regarding Enterprise products....but it wouldn't have anything to do with the fact that U3 is no longer a supported format?   PortableApps is a good substitute.

                 

                Per Wikipedia: http://en.wikipedia.org/wiki/U3

                 

                SanDisk report the following on its website "The U3 technology has reached end of life. SanDisk began phasing out support for U3 Technology in late 2009."

                • 5. Re: U3 Device Not Being Detected as Removable Mass Storage
                  cdobol

                  That is actually good to know, but many people in our company are still using these things.... and of course we do not want users copying data to them.   If it comes down to it our company policy might lean towards blocking these devices entirely (plug & play rule) if we can't make them read only via a removable storage rule.

                  • 6. Re: U3 Device Not Being Detected as Removable Mass Storage

                    are you experiencing this with lots of devices, or just one? Maybe you just have a bum device? Last time I looked at U3's (which was a while ago) they emulated a CD-ROM and a storage device simultaneously, so you need to treat them as such in DLP.

                    • 7. Re: U3 Device Not Being Detected as Removable Mass Storage
                      cdobol

                      Hello Mr. SafeBoot.   Its mulitple U3 devices.  Yes, there are two partitions... one CD-ROM and one data partition.  Its random when DLP actually picks up the data partition as a RMSD and applies our read-only policy. 

                      • 8. Re: U3 Device Not Being Detected as Removable Mass Storage
                        cdobol

                        A little more information...  It appears however the U3 mounts the data partition is missed by DLP.   For example, I can disable and reenable the RMSD U3 in device manager, then DLP picks it up after its enabled....