How Symantec™ Endpoint Protection Handles Device Control

book

Article ID: 159102

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

This article includes a document which describes which features Symantec™ Endpoint Protection Handles Device Control includes and how it can control various devices.

Resolution

What device control features does Symantec Endpoint Protection have?

Using its Application and Device control functionality, SEP can control any device that appears in device manager that has the option to be disabled. This includes printer ports, disk drives, USB devices, Infrared, Bluetooth, Network Adapters, etc.

Figure 1 - the default list of hardware classes available for blocking in Symantec Endpoint Protection

In addition, it has the ability to control read and write to removable storage devices such as USB memory sticks, hard disks and memory cards. Any device can be identified either individually or as a family.

The following tables give a breakdown of the comparison between features in Symantec Endpoint Encryption Device Control (SEE-DC) and Symantec Endpoint Protection’s Application and Device control functionality.

How do I block a device in Symantec Endpoint Protection?
Symantec Endpoint Protection can block devices based on their Class ID (e.g. USB devices - {36FC9E60-C465-11CF-8056-444553540000}) and their Device ID (e.g. SanDisk Micro Cruzer - USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_MICRO&REV_2033\0002071406&0). Wildcards are also supported in Device ID’s.

For more information on how to block devices, see the following article:
http://www.symantec.com/docs/TECH175220

How do I make a device read only in Symantec Endpoint Protection?
Symantec Endpoint Protection uses Application control to make devices read only, for more information on how to make devices read only, see the following article:
http://www.symantec.com/docs/TECH95813

How do I prevent an application from writing files to removable storage in Symantec Endpoint Protection?
Using Application control, Symantec Endpoint Protection can control which applications can write to specific USB devices. In addition, it can also control what files are written by those applications – e.g. Microsoft Word can only write .doc and .docx files.

For more information, see the following article:
http://www.symantec.com/docs/HOWTO27030

Can Symantec Endpoint Protection block CD writing?
Currently, Symantec Endpoint Protection cannot block CD writing directly, however using Host Integrity and Application Control; it is possible to prevent the usage and launching of both Microsoft Windows CD Burning and also third party CD writing products, leaving only the encrypted CD burning utilities available to be executed.

For more information, please see the following article:
http://www.symantec.com/docs/TECH104800

I use certain features in SEE-DC, when will this be added to Symantec Endpoint Protection?
Features that exist in SEE-DC will be evaluated for inclusion in the Symantec Endpoint Protection roadmap as required. Please contact your Symantec Account Manager to discuss your specific requirements.

Can I use Symantec Endpoint Protection to enforce encryption of files on removable storage devices?
While there isn’t an option in Symantec Endpoint Protection specifically to enforce this, it can change its policy dependent on whether or not encryption software is installed on the endpoint. Using Host Integrity, you could search for the presence of encryption software and if none is found (this doesn’t just have to be Symantec Encryption software, any vendor could be checked for) then the client could be moved to a "quarantine" location where we could apply a device control policy that blocked all writing to removable devices, thus enforcing the installation of encryption software before the user is allowed to copy files to removable storage again. Given the software, Symantec Endpoint Protection could also automate the installation of encryption software.

Can I use Symantec Endpoint Protection to prevent split tunnelling between Wi-Fi and LAN connections?
Yes, Symantec Endpoint Protection has a built in Host Integrity rule to control and prevent split tunnelling.

What level of reporting does Symantec Endpoint Protection support for device control?
Symantec Endpoint Protection Manager can report on devices blocked by its device control component. The reports are filterable by computer, user, operating system, IP address and their group within the management console.

Figure 2 - Device Control reports in SEPM

Reporting on application control also allows you to see files copied to USB devices, you can filter on blocks, allows, etc. the size of the file being copied, the process doing the file copy, user name and IP address.

Figure 3 - Application Control reports in SEPM

Policy in Symantec Endpoint Protection is applied to groups and/or locations. Groups are logical groupings of client computers which can either be manually configured or imported from Organisational Units in Active Directory. Locations are typically used to identify network locations where a client might reside, such as Office, Public networks, VPN, etc. The Symantec Endpoint Protection client is able to determine based on a given criteria which location it is in and then apply the appropriate policy. An administrator could therefore decide that when their client is in the office, it can read and write USB devices without any restriction, but when it leaves the office and is on a public network, it may only be able to read USB devices and not write to them.

For more information, please see this article: http://www.symantec.com/docs/TECH134409

Where can I find out more information about what else Symantec Endpoint Protection is capable of?
Symantec Endpoint Protection 12.1 brings unrivalled security and blazing performance across physical and virtual systems and is equipped to protect the latest operating systems achieving maximum performance and advanced protection.

Symantec Insight technology reduces antivirus scans while SONAR stops cyber-criminals and zero-day attacks. Only Symantec Endpoint Protection 12.1 provides the security you need through a single, high-powered agent, for the fastest, most-effective protection available.

To learn more: http://www.symantec.com/endpoint-protection?fid=endpoint-protection

Will I receive any data loss prevention (DLP) features in Symantec Endpoint Protection?
Symantec Endpoint Protection doesn’t have native DLP capabilities; however, Symantec Endpoint Protection integrates with Symantec’s Data Loss Prevention software. When a data loss policy is violated, the Symantec DLP Endpoint Agent can trigger endpoint lockdown actions available in Symantec Endpoint Protection (e.g., application and device control). Together, Symantec Endpoint Protection and DLP provide control not just at the application, device and port level, but also at the data level. DLP monitors files being written to applications or downloaded to devices, and allows or blocks them based on the content of the file and context in which it’s being used.

To learn more about Symantec DLP, please visit: go.symantec.com/dlp


Attachments