6 Replies Latest reply: Jan 10, 2014 10:53 AM by Scott Sadlocha RSS

    McAfee DLP does not recognize first instance of plug in event?

    vveijie

      Hi all,

       

      My corporate environment uses:

       

      McAfee DLP Endpoint version 9.2.100.36

      McAfee ePO version 4.6.0

       

      As I have put in place a plug and play definition for the following to block off iPhones in the corporate environment:

      bus type: USB

      device class: imaging devices, windows portable device

      device name: Apple (partial match)

       

      Afterwhich, I have created a plug and play rule with the above definition to be blocked off for the users.

       

      During testing, I have found out that the first instance of the device will be captured and installed onto the desktop. It is able to charge the phone connected and access the phone's folder to the content.

       

      Upon the second instance of the event, the device was being blocked by the McAfee DLP and it wasn't be able to charge and get access into the folders.

       

      Can I ask why is this so?

       

      Thank you!

        • 1. Re: McAfee DLP does not recognize first instance of plug in event?
          Tristan

          Are the nessesary drivers pre-installed prior to this first connection.

           

          It's possible that the iPhone is presenting itself as/being detected as a Mass Storage device first before Windows has completed the driver set up.

          • 2. Re: McAfee DLP does not recognize first instance of plug in event?
            vveijie

            Hi Tristan,

             

            The phone wasn't connected to the terminal at all and the policy rule with the definition has been set in place.

             

            But once the phone was connected to the desktop, the desktop actually registers the device and installs the driver and allowing user to transfer photos and also being to charge.

             

            Also, i have set the device class to be blocking imaging devices and also, Windows portable device (which supposingly should be mass storage device).

             

            I'm currently using a plug and play definition and rule.

             

            Please advise as the first instance should block the phone connection directly instead of letting it run the driver and installing it instead.

             

            Thank you!

            • 3. Re: McAfee DLP does not recognize first instance of plug in event?
              vimalnavis

              Try using a different parameter like Device Name. I have rare instances where one parameter works better over the other.

              • 4. Re: McAfee DLP does not recognize first instance of plug in event?
                vveijie

                Hi Vimal,

                 

                Thanks for the reply.

                 

                For the plug and play definition, I'm trying to block off all the Apple products that are trying to be plugged into the desktop.

                 

                Thus, my settings were set as according:

                bus type: USB (using cable)

                device class: imaging devices, windows portable device (two boxes that I've ticked)

                device name: Apple (partial match, because some products may appear as iPod or iPhone or iPad)

                 

                Are there other parameters that I would need to consider?

                 

                Thank you!

                • 5. Re: McAfee DLP does not recognize first instance of plug in event?
                  vveijie

                  Dear all,

                   

                  Would there be another alternative way to block off personal smart phones such as iPhones other than the below stated?

                   

                  Plug and Play device definition 1:

                  1. bus type: USB
                  2. device class: imaging devices, windows portable device
                  3. device name: Apple (partial match)
                  4. vendor ID: 05AC (Apple)
                  5. device ID: blank as it works to block off the iPhones on the second instance

                   

                  Plug and Play rule A creation:

                  1. To include the above definition, block (online/offline) and to apply to the user group

                   

                  Would a plug and play device rule be sufficient to block off entirely or is there like another device rule that I have left out on my side.

                   

                  Do we need to have a rule for removable storage device or any other rules needed?

                   

                  On our end we are still trying to test out the various rules/definitions for other aspects such as thumbdrives and such.

                   

                  Thanks!

                  • 6. Re: McAfee DLP does not recognize first instance of plug in event?
                    Scott Sadlocha

                    I have seen somewhat of the opposite at my company. We want to allow reading from devices and charging. When I first connect an Android device, I get a popup warning as expected, and I am unable to save to the device but it charges. However, upon the second detection, the device is detected as a Windows Portable Device, and I am able to save files to it. If I enable a PnP rule, the device is blocked completely on the second detection and does not charge, but I am unable to see files at all.

                     

                    So it seems that there is an issue with the double detection, and I am unable to configure a rule to work. I want to use a Device Detection, but I have tried a number of parameters, and none work. When the device comes in as a Portable Device, it seems that a PnP is the only thing that will work, but it does a complete block.