1 2 Previous Next 10 Replies Latest reply on Mar 16, 2015 11:17 AM by system48

    DLP FLAW?

    donny1334

           We are using the latest version of EPO and DLP  to manage USB Drives.  I have the rules configured so that all USB drives get blocked, unless I allow a specific storage device.  We just received two brand new Canon Power Shot Elph Cameras.  These cameras don't come up as an USB storage device but as a Plug and Play device.  This allows the user to plug the device in and get to the SD card and bypassing the USB Storage Rules Block.  When I called McAfee the only help the tech could provide was to create a PNP Rule that blocks the Power Shot Camera from being accessed thru USB.  The problem with this is the SD Card is now not available.  I was told that I would have to use some type of Card Reader that would see the SD Card as storage.

       

           With more storage devices showing up as PNP devices, we are losing faith in the DLP technology to be able to protect our Network from intrusions and the ability to protect our Data.  If one of the purpose's of DLP is to protect data then why do they allow PNP devices with storage to access to USB without some kind of filter.  This event also led me to wonder how many more people in our environment are plugging in what I would call storage devices but McAfee classifies as PNP devices.

        • 1. Re: DLP FLAW?

          Are you using host dlp, or are you using device control? The sophistication is very different between the two.

           

          what you have bought is, in effect a USB sd card reader - it's not a USB stick. The two are architecturally very different. Thus you need to control the sd card reader device at the Pnp level, wheras you control usb storage differently.

           

          a Sd card reader is as different to a usb stick as a dvd drive, or USB connected sound card.

          • 2. Re: DLP FLAW?

            The flaw would be in the logic used and a limited understanding of the product and not necessarily the product itself.

            I also agree with SafeBoot in that the architecture is different and needs to be addressed appropriately.

             

            If the requirement is to block all USB devices, and the definition includes only USB bus type, then to me it seems the product is working as expected.

            If the requirement is to block or read-only removable storage devices (irrespective of the bus with a focus on the storage part), create the definition to include File System based parameters (Type or Access). This will ensure that irrespective of how the storage device connects to the computer DLPe will enforce the block or read-only based on File System.

             

            PnP rules are enforced at a lower level, before the file system is mounted. Based on definition, you will block a lot more unintended devices. You would want to understand how this rule works and test them in a test environment before using them.

            RSD rules are enforced after the device file system mounts.

            • 3. Re: DLP FLAW?
              epository

              Donny,

               

              I would like to offer some actual assistance on this.

               

              Can you find the excerpt from your setupapi.dev.log where the camera mounts and the SD card?

               

              Also, try reading this thread to see if it offers any help

               

              Re: How to Block SD cards on laptos

               

              You may have to use something like Compatible ID or Hardware ID to fully restrict these things down.

               

              I also think its sad that McAfee doesnt offer any sort of whitepapers or how-to's on very common items like MTP devices, SD cards, wireless 3G modems..etc...these are very common devices and DLP can block them....and I would think it would be a great advertisement for the product itself.

              • 4. Re: DLP FLAW?
                palex

                Hello!

                Support donny!

                For many months, we can't block all pnp devices. I checked unmanaged devices, there is no mine. My problem is as follows: McAfee no description: how to block all USB devices. I tried to place devices such as USB controllers, etc. unmanaged GUID. But, some models of smartphones, I think that Nokia Lumia) have GUID is the GUID of the USB controller. It turns out that these smartphones have ceased to be tracked. If on the contrary, to block USB controller GUID, laptops stop working mouse, because they are connected to the USB controller. Support habitually silent. I have 30 requests assistance was provided by 3. 10% - a very high figure for McAfee. If the task is not solved, then you need to write to get people to switch to other DLP with fewer problems during installation and configuration.

                We hope for your understanding on the part of McAfee.

                My guide can't wait endlessly and in the near future will seek to similar products. As for the incompetence of my colleagues, referenced technical support - anywhere in any document McAfee is not written, what to use and configure the system can only certified (trained professionals).

                 

                Regards.

                • 5. Re: DLP FLAW?
                  palex

                  Attempts to block USB device ID vendor/device is unimaginable crutches. As far as I know - world practice of information security involves the creation of a black list, which includes EVERYTHING! If you want to allow something, it is permitted to a specific user, a specific action. Why antivirus calmly define removable media and scan it, and then when the device is connected, there are several (1 to 4 security incidents)? DLP that work on other physical principles?

                  • 6. Re: DLP FLAW?
                    epository

                    Palex,

                     

                    You can block USB sticks and external drives using a Removable Storage rule....that is the easiest way.

                     

                    However, Phones and Ipads...etc...seem to mount as MTP Devices or sometimes as Removable Storage.

                     

                    I use a PnP rule for Windows Portable Devices with "MTP" in the Device Name to catch those....Just create a PnP rule and set it to Monitor Mode and you should be able to catch these pretty quickly and refine your Device Definition.

                     

                    For example:

                     

                    Device Class Name:

                    Portable Devices

                    Device Compatible ID:

                    USB\MS_COMP_MTP

                    Device Instance ID:

                    USB\VID_04E8&PID_6860

                     

                    For example, this is a Samsung Galaxy S2...if you create a device definition using only the Device Compatible ID only..you can wipe these out....but its going to miss Apple devices because their Device Compatible ID is

                     

                    Device Compatible ID:

                    USB\CLASS_06&SUBCLASS_01&PROT_01

                     

                    but the Device name for both the Apples and Samsungs is

                     

                    Device Name:

                    MTP USB Device

                     

                    So kill them both using solely the Device Name containing "MTP"

                    • 7. Re: DLP FLAW?
                      palex

                      Hi, epository!

                       

                      I was doing about what You have to offer. But I need to block all unauthorized devices. I have, for example, 10 registered sticks, which I bought at the nearest shop, but the rest if the connection should be blocked.

                       

                      I'm having the following problem. Most removable devices (smartphones, camera,...) are defined GUID:

                      36fc9e60-c465-11cf-8056-444553540000.

                      This GUID is not an MTP device, but the USB bus. To this class of devices includes extenders and splitters USB hubs and USB hubs. I need to block the connection of all removable devices, but if I block this GUID, laptops off the mouse, although they are uncontrolled device class (somewhere at McAfee I read that if the devices are not controlled, and are not blocked. They do not guess or enter all confusing: my workers with laptops lined up, saying that their mouse is disconnected). If I block this GUID on computers, then after a couple of seconds after applying the policy, you receive a blue screen of death. I was very pleased to see him!!!!!

                      Only, in my opinion, the ability to block all removable media: first manually to drive in DLP Endpoint settings USB hub, USB camera, USB drives and other devices. This is done only manually (discharge incident to a file and import file information cannot be considered automation)!!! And this in 2015!!! This can be done only in monitor mode. And only then add all other devices in the lock mode!!! This must be done separately and manually for each computer. How developers can imagine it, I don't understand.

                      In General, the problem of locking unchecked (disabled) PnP is another omission McAfee.

                       

                      I'm ready to take it back, if I will offer (will explain, show) way to block ALL unregistered PnP devices.

                      • 8. Re: DLP FLAW?
                        epository

                        palex,

                         

                        I recommend you create definitions and rules to block 1 device at a time.

                        and don't use GUID as your defining factor.

                         

                        i.e  for USB

                        create a device definition for USB

                        Use this in a Removable Storage rule

                         

                        i.e. for MTP devices.

                        create a device definition for USB AND Device Name contains "MTP"

                        Use this in a Plug and Play Windows Portable Device Rule

                         

                        i.e. Firewire and Bluetooth

                        I lumped these two together just to save time in a single definitions

                         

                        Then create a User Access Group that includes Everyone and Local User...but excludes whatever Security Group you will grant access for USB.

                         

                        If your work expects you to block everything....its hard to do unless they give you testing equipment...

                         

                        Also, I created a Removable Storage Protection rule to copy the name of every file copied off to USB...etc as well.

                        • 9. Re: DLP FLAW?
                          system48

                          I was able to easily setup MTP and PTP blocking using the device compatible ID's.  The rule is setup as a "Plug and Play Device Definition" with only the "Device Compatible ID (Advanced)" selected and the two ID's are "USB\MS_COMP_MTP" and "USB\CLASS_06&SUBCLASS_01&PROT_01".

                          1 2 Previous Next