7 Replies Latest reply on Oct 20, 2016 10:33 AM by hhoang

    DLP 10, PNP DEVICE RULE 1 MONITOR 2ND BLOCK > Validation stops at FIRST which is not good

    bretzeli

      * Can SEVERAL PNP Rules be set > yes

      * At which rule DOES it stop handling a DEVICE (Like a policy in a firewall does it check the object i each policy down?)

      * Is the ORDER you see or you generated the PNP important? You can't move them down or up forst or last etc?

       

       

       

      Hello,

       

      We have a customer using KINGSTON DataTRAVLER VAULT PRIVACY. Device DLP is setup and running with 10.X and all FINE.

       

      The KINGSTON is kind of special because:

       

      1) First appears as DVD

      2) Then you enter password

      3) After that you the REAL DATA Drive

       

      So you have 3 DEVICE DEFINTION.

       

      > This was all running and fine.

       

      Now customer wants to BLOCK CD/DVD. That was 2 minutes and in the lab there where blocked. But then also the DATA Traveler USB Stick does not work ;-)

       

      PROBLEM:

       

      There seems to be a BUG or this is not ment to be that complex how we think (OR it was possible in 9.3 and well they messed it up in 10 [my poersonal guess])

       

      1) 2016_PNP_DEVICE-RULE_USB Monitor does what it says IT traces all the goes PNP on all clients (We want that to collect) HOWEVER under Exception the CD/DVD built in where excluded because we don't want that

      2) The last one was the CD DVD Block AND with an exception for the Special USB Kingston stick which comes as DVD

       

      PROBLEM: The process seemt to stop FOR a device if he FINDS the DEVICE in one of those two RULES. The last one is not even processed (With Exceptions)

       

      The LAST rule was not PULLING (The Exceptions). Only after we REMOVED CD/DVD from 1st PNP rule in exceptions it was working in the last

       

       

      Here is the first rule where we just monitor all PNP except the WHITElist stuff AND we also had the built in CD/DVD as exception there (WHICH did not work and had to be removed)

       

      And the Exceptions where we had to remove the CD/DVD to get our concept working.

       

       

       

       

      Here is the LAST rule:

      And the exception:

       

        • 1. Re: DLP 10, PNP DEVICE RULE 1 MONITOR 2ND BLOCK > Validation stops at FIRST which is not good
          Troja

          Hi bretzeli,

          this is made by design. If one rule blocks a device, the device is blocked. If you want to manage one or more specific devices in detail, you have to configure one rule for them.

          But in your szenario, it works like expected, one block rule matches and blocks the device.

          Cheers

          • 2. Re: DLP 10, PNP DEVICE RULE 1 MONITOR 2ND BLOCK > Validation stops at FIRST which is not good
            bretzeli

            Hello,

             

            If it is blocked YES that would be logic but in the 1st rule ther REACTION is "NO ACTION".

            And the "CD/DVD" Entry in the 1st rule is under Exceptions/Exclusion of things we DONT want to collect PNP info.

             

            From that point of view it would be a bug?

             

             

            • 3. Re: DLP 10, PNP DEVICE RULE 1 MONITOR 2ND BLOCK > Validation stops at FIRST which is not good
              hhoang

              If a rule that is configured to take no action is blocking devices - then, yes, you have a potential bug.  Easy way to test, if you disable the rule to take no action does it continue to block CD/DVD or whatever device you expect to be allowed?

               

              Alternatively, if you have the rules configured to generate incidents and the device is being blocked it should tell you explicitly which rule applied the block to the device.  With that information you can tweak whichever rule to correctly exclude the device. 

              • 4. Re: DLP 10, PNP DEVICE RULE 1 MONITOR 2ND BLOCK > Validation stops at FIRST which is not good
                PhilR

                I have the same problem with an Integral encrypted USB stick.  It presents itself as a CD drive so you can run the password input program to unlock the drive.

                 

                I find the Device Control configuration so arcane that I cannot for the life of me figure out how to whitelist this device when it presents itself as a CD drive, but still block all other USB CD drives.  All the obvious attempts just do not work, or end up with Device Control giving up and not blocking anything.

                 

                Is there an implementable solution to this one which doesn't require a brain the size of the universe?

                 

                Cheers,

                 

                Phil

                • 5. Re: DLP 10, PNP DEVICE RULE 1 MONITOR 2ND BLOCK > Validation stops at FIRST which is not good
                  hhoang

                  It's hard to say how you will need to configure your rule without looking at how it is currently configured.  Can you provide a screenshot of the incident you receive when the encrypted USB drive is being blocked?  If you are willing, you can provide an export of your DLP policy export and we can take a look or alternatively screenshots of the rule configuration on the policy that is currently blocking the encrypted USB.

                  • 6. Re: DLP 10, PNP DEVICE RULE 1 MONITOR 2ND BLOCK > Validation stops at FIRST which is not good
                    PhilR

                    No, I can't post anything useful because I haven't got a clue what would be useful...

                     

                    The product documentation is dire.

                     

                    The ePO help file doesn't help at at all.

                     

                    The youtube tutorials are not printable or useful in any way.

                     

                    The product has been designed by people who have no clue about end-user (i.e. sysadmin) usabilty.

                     

                    Despite being of well-above-average intelligence and long experience in IT (including assembly language programming) this product has me totally flummoxed.

                     

                    Got it mostly working but the product still lacks obvious capabilities.

                     

                    e.g. exceptions for a device which is used by members of a group.

                     

                    You can make an exception for a device, or for a group of users, but not the combination.

                     

                    Might be able to work around by multiple rules, but even the group membership rules don't allow for "not a member of this active directory group", or am I missing something?

                    • 7. Re: DLP 10, PNP DEVICE RULE 1 MONITOR 2ND BLOCK > Validation stops at FIRST which is not good
                      hhoang

                      Before we get into what the product is, or is not, capable of doing we should probably start with what version of DLPe you are running.  Features and limitations can differ drastically between product versions.

                       

                      Later versions of DLPe have the option to exclude devices based on device definition and user group OR a device serial number / user ID pair (note this is an individual user ID and not a group).  Excluding a single specific device is dependent on the device drivers actually providing a serial number for us to use in the DLP rules.  If one is not available you can potentially use a volume serial number though that will change if the drive is formatted.  You can achieve the same end result on older versions though the configuration is slightly more roundabout.

                       

                      The product is reliant on what information is provided by the OS - so, if a device utilizes a driver that loads as a CD drive and then mounts a separate 'removable storage' volume after the fact it would unfortunately require two separate definitions to either block/allow whichever portions you want/don't want the user to protect.  I know that historically Ironkey encrypted USB drives have used this method.