search cancel

Granular control of USB drives in the Application and Device Control Policy in Endpoint Protection

book

Article ID: 151662

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Using Symantec Endpoint Protection (SEP) Application and Device Control policy to block all USB thumb drives and USB hard drives on managed Symantec Endpoint Protection clients, but allow some USB drives to work.
 

Resolution

To block USB drives (thumb drives, hard drives) while not blocking a specific USB drive in the Device Control policy:

  1. Gather the device ID for the specific device
  2. Add that device into the Hardware Devices list in the Symantec Endpoint Protection Manager (SEPM)
  3. Block disk drives and exclude the devices to use in the Application and Device Control policy

Gather the device ID with DevViewer of the device(s) to exclude

  1. Find the DevViewer.exe tool on the SEP full installation file in the \Tools\DevViewer folder.
    In earlier versions, this tool may be in \Tools\NoSupport\DevViewer.
  2. Plug in the device from which to gather the device ID.
  3. Run the DevViewer.exe tool and browse to find the device. For example, for a thumb drive, look under Disk drives.
  4. Select the device. The right pane displays information about the device.
  5. Right-click the device ID and select Copy Device ID.
  6. Exit the DevViewer Tool.

Note: An alternate way to find device ID, if DevViewer is not available:

  1. Open Device Manager.
  2. Find the device in the tree.
  3. Right-click the device and select Properties.
  4. Select the Details tab.
  5. In the Property drop-down, select Hardware Ids or Compatible Ids.

If unable to locate the correct device ID for building the rule, note in DevViewer to change View Style to View devices by connection. Changing this view may help, particularly when troubleshooting USB exclusions.

Add the hardware device into SEPM policy

  1. In the SEPM, select Policies.
  2. Under View Policies, click Policy Components to expand the sub-list.
  3. Under Policy Components, select Hardware Devices.
  4. Under Tasks, select Add a Hardware Device.
  5. Type in the name for the device. For example: Administrator's Thumb Drive.
  6. Select the Device ID option, click the text box and paste the device ID copied from the DevViewer tool.
  7. Click OK.


Add disk drives and the hardware device to allow to the Devices Excluded From Blocking list

  1. In the SEPM, under View Policies, select Application and Device Control.
  2. Right-click your Application and Device Control policy and select Edit.
  3. Use the following processes to correctly block and exclude:
    1. Block or exclude with Device Control
    2. Block or exclude with Application Control
    Do not use a mix of the these methods to block and exclude devices.
  4. Select Assign the Policy.
  5. Select the group to assign to the edited policy.
  6. Press Assign.

To block or exclude with Device Control:

  1. In the Application and Device Control policy, select Device Control.
  2. Under the Blocked Devices section, click Add, select Disk Drives and click OK.
    If Disk Drives isn't listed, it is already added as a Blocked Device..
  3. Under Devices Excluded From Blocking, click Add.
  4. Select the device added in the previous section and click OK.
  5. Click OK to close the Application and Device Control policy window.

To block or exclude with Application Control:

  1. In the Application and Device Control policy, select Application Control.
  2. Check Make all removable devices read-only (for example) and select Edit.
  3. Select Block writing to all files and folders, and under Do not apply to the following files and folders, select Add.
  4. Under File or Folder Name To Match, enter an asterisk (*).
  5. Check Only match on the following device ID type and press Select.
  6. Select the device added to the hardware list and press OK.
    This is the unique USB device ID added previously.
  7. Press OK to close windows until back at the main Application and Device Control Policies window of SEPM.

When the clients get the new policy, they may need to reboot for the policy to work correctly. If so, a notification message appears on the client that a reboot is necessary for the new policy change. The client is listed in the Reboot Required logs in the SEPM until the reboot completes.