I can create a Protection Rule that will monitor and require justification for a removable storage device plugged into my USB. However, I cannot get the rule to work with my DVD/CD RW drive.
1) Did you enable it?
2) Check policy for 'computer assigned' or 'user right assignment' as you want to work with;
1. Yes, I enabled and applied the policy.
2. Yes, it is assigned to the correct user rights assignment.
Are CD/DVD drives not considerd "Removable Storage Devices" covered under the Protection Rules?
you should try with 'All Removable Storage Device' in order to know if Device Control blocks it.
I just tried to apply block to "all removable storage devices" with the Device Rule and it did not work. However, the Device Protection rule does work when trying to write out to my usb drive.
Sounds like something that the DLP Diagnostic Tool should help resolve (assuming DLPe 9.2)
Download it from the knowledgebase: https://kc.mcafee.com/corporate/index?page=content&id=KB75040
Once installed and you have entered the override code use the tool to examine the CD/DVD and see if the rule applies to it.
McAfee DLP TierIII
Device Plug and Play blocking CD/DVD drive works appropriately. The rules with Device Removable storage does not work.
Thanks for you thoughts so far any more ideas? I will try the diagnotic tool next.
This scenario is covered in the following article.
You can either block CD/DVD with a device rule set to read only or monitor what is being written with an application based protection rule.
I can't seem toa ccess the above KB articles. Is there something I can do to view it?
I'm not sure why it isn't working for you. Here is a copy from the article itself:
|Corporate KnowledgeBase ID:||KB53598|
|Last Modified:||January 26, 2012|
McAfee Host Data Loss Prevention 9.0
McAfee Host Data Loss Prevention 3.0
It is not possible to block data using a reaction rule that is triggered from burning software such as:
Windows built-in burning functionality
The reason for this relates to how the CD/DVD burning software builds the data to be written and the way in which those applications choose to organize the data before burning. These factors make Host Data Loss Prevention (Host DLP) unable to block that data using an application reaction rule.
Host DLP does provide tagging and monitoring via a burner application reaction rule, just not blocking functionality. This feature has limited functionality, but does exist in Roxio versions 6-8. This feature does not work with Windows 2000.