Configure USB device control policies

book

Article ID: 159261

calendar_today

Updated On:

Products

Endpoint Protection Small Business Edition (Cloud)

Issue/Introduction

Attention Customers of Symantec Endpoint Protection Small Business Edition (SEP SBE) and Symantec Endpoint Protection Cloud (SEP Cloud)

These products will be discontinued on November 2, 2020. On this date, the product will stop protecting the endpoints, and access to the console no longer will be available. We recommend that customers migrate to Symantec Endpoint Security Enterprise.

For more information, see Transitioning to Symantec Endpoint Security Enterprise Guide.

This document discusses the features and functionality of the USB Device Control section of the Cloud version of Symantec Endpoint Protection Small Business Edition (SEP SBE).

NOTE: The SEP SBE product does not have the ability to whitelist a URL or a USB device. It is all or nothing.

 

Resolution

About USB Device Control

USB Device Control enables administrators to prevent malicious code injection and intellectual property theft by controlling employee use of USB removable storage devices. USB mice and keyboards are unaffected by USB Device Control as they are not recognized or classified as storage devices by Windows. This control provides the functionality to either allow or block these devices by policy at the endpoint.

  • Allow: When policy allows USB devices, all computers in the groups to which the policy applies have complete access to USB storage devices. Allow is the default setting. Read-only access for USB storage devices can also be configured.
  • Block: When policy blocks USB devices, access to USB storage devices is disabled and notifications of these blocks may be enabled on the endpoint. These notifications appear as small pop-up messages in the bottom, right-side corner of the endpoint computer. Notifications are off by default.

Example Notification Message:

USB Device Control

Device description: USB Mass Storage

The USB device was blocked by policy and the event has been logged. Contact your administrator for assistance.
 

All blocking events are logged for review and reporting. The blocking events are recorded in a number of locations:

  1. A summary of events listed in the Endpoint Protection Home page widget
  2. A summary of events listed Protection Summary section of the Computer Profile for the particular machine
  3. As individual events recorded on Computer Profile History tab
  4. In the USB Device Control portion of the Endpoint Protection Security Overview report
     

Configuring Device Control

Endpoint Protection policies enable creation of suitable controls over USB storage devices based on groups. Device Control affects devices classified as "USB Storage Devices" by Windows Device Manager. USB Device Control configuration can be included as part of either a new policy, or an existing customized Endpoint Protection policy.

To configure USB device control in an existing Endpoint Protection policy:

  1. Log in to the SEP SBE cloud management console and navigate to the "Policies" tab
  2. Click on the "Endpoint Protection" link under Services in the left column
  3. Locate the Endpoint Protection policy and click it
  4. In the "USB Device Control" section, use the drop-down to allow or to block access to USB devices
  5. Use the check-boxes to:
    • Disable or enable read-write access to the USB storage device (only available when the Allow option is enabled)
    • Enable or disable user notification of USB blocking (only available when the Block option is enabled)
  6. Under the "Groups" section, check all groups which need this policy applied.
  7. When done, click "Save and Apply".

To configure USB device control in a new custom policy:

  1. Follow the instructions for creating a new custom policy in How to create custom antivirus policies
  2. Apply the desired USB device control settings once the new policy has been created (step 6), use the drop-down to allow or block access to USB devices
  3. Use the check-boxes to enable or disable read-write access to USB storage devices and notifications of USB blocking
  4. Make sure that all groups which should apply this policy are checked in the "Groups" section at the bottom of the page
  5. Click "Save and Apply"

Bypassing USB device control:

It is possible to set a password to temporarily bypass USB device control in situations when an administrator needs to access USB devices on a machine but does not want the user to have open access regularly, to do so:

  1. Log in to the SEP SBE cloud management console
  2. Navigate to the "Settings" tab
  3. Click on the "Computer Settings" link in the left column
  4. Check the "Use this password for features displaying the lock icon" check-box
  5. Enter your password in the "New Password" field and verify it in the "Confirm" field
  6. Click "Save Changes"

The password designated can now be used on a client machine to allow temporary access to USB storage devices.