Endpoint Device Control not working for Encrypted Devices

book

Article ID: 160085

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

Created a policy to block copying files to all USB devices except 2
hardware encrypted USB devices - SanDisk and Verbatim. The exception is defined based on DeviceID.

The policy looks like this:

Rule: Removable Storage (Protocol)
Exception: SanDisk DeviceID in RegEx format
Exception: Verbatim DeviceID in RegEx format

The RegEx for the device ids are collected from the output of DeviceID.exe
utility. These devices are seen under Device
Manager->Disk Drives.

The exception does not appear to be working without restarting the edpa process.

Resolution

When the EDPA process is running and you plug-in a hardware encrypted USB, EDPA gets a device control event. EDPA queries all devices attached (to create the device id map) but fails querying the hardware encrypted USB's (GetVolumeInformation() fails) because these devices needs to be unlocked (and it's drive is seen as CDFS). To unlock the USB, user is prompted to provide a password when the user clicks this USB drive. But before user completes this task, EDPA completes creating the device id map. And this map does not contain the hardware encrypted USBs.

The only workaround is to restart the EDPA process before copying to the USB drive.  This is not feasible, since the end user is not aware of the issue.

This is fixed in 11.1.1 per etrack 2374979.