6 Replies Latest reply on Sep 26, 2016 3:17 PM by silverss05

    DLP Block USB rule whitelist not functioning

    silverss05

      Hi,

       

      I currently have EPO 5.3.1 with DLP 9.4.2.  I have a block USB rule set up and I am trying to white list certain devices by vendor ID and product ID.  If I do not enable the whitelist then USB is blocked as it should be.  When I enable the whitelist by device definition all USB is able to be used and nothing is blocked.

       

      Does anyone have an idea what I may be doing wrong?

       

      Thank you

        • 1. Re: DLP Block USB rule whitelist not functioning
          hhoang

          When you say whitelist - are you actually creating a 'Whitelisted plug and play device definition' -or- are you creating a device definition (either plug and play or removable storage) and setting it as an exclusion within the rule?

           

          If you are essentially saying that the 'whitelist' is allowing devices to be attached that it should not be then it sounds like your whitelist definition is too broad and you may need to modify it to be more granular.  i.e. if you set a whitelist exclusion for vendor ID + product ID it will allow all devices that reflect that combination as it is not specific to a single device but all USB devices of that vendor/model.

          • 2. Re: DLP Block USB rule whitelist not functioning
            silverss05

            I have only seen one way to create whitelisted items;  I edit my rule, then select "Exceptions", then in the left pane I select "Whitelisted Device Definitions", then in the right pane I have "removable storage" is set to "is one of (or)" my allowed USB device definition.

             

            There is about 8 devices within that definition I would like allowed, but when I enable this exception on my block USB rule, all USB is able to be used.

            • 3. Re: DLP Block USB rule whitelist not functioning
              hhoang

              It sounds like the latter scenario then - i.e. your definition may be too broad.  If you enable the whitelist and then plug in a device that you expect to be blocked and run this command:

               

              wmic diskdrive get caption,pnpdeviceid

               

              This will give you the name of the devices attached to the system as well as the device instance path - which will include the VID/PID that you are using in your definition.  If the VID/PID of the devices you expect to be blocked are included in your definition then you will need to use something more granular for your exclusions such as a volume/device serial number.  The serial number can be tricky to use in definitions as it is dependent on the device drivers to correctly report them (assuming one even exists).  You can verify whether the serial number by running a Windows utility called 'usbview' which I believe is included in Windows debug tools (you may need to download an AIK package to get this).

              • 4. Re: DLP Block USB rule whitelist not functioning
                silverss05

                I ran the command you provided.  The vendor ID and product ID are not on my approved definitions list, and the drive is still allowed to be used.

                • 5. Re: DLP Block USB rule whitelist not functioning
                  hhoang

                  I couldn't say for certain without looking at your configuration but if what you are describing is accurate then I would recommend getting a support case open for investigation.

                   

                  Does the same thing happen if you manually create a device definition (as opposed to selecting the option for 'whitelisted device defintion') and then select that as an exception?

                  • 6. Re: DLP Block USB rule whitelist not functioning
                    silverss05

                    I believe that is the way I have it set up now.  That's the only way I see how to do it.