search cancel

Using IronKey Devices with other USB restrictions in Symantec Endpoint Protection 12.1

book

Article ID: 161683

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

IronKey USB Devices do not operate without special configuration when controlling USB device access with Application and Device Control.

Cause

IronKey devices have multiple device IDs and specific process whitelist requirements.

 

Resolution

Part I: Exceptions Policy

 Application Exception - Prevent SONAR interaction and/or process injection upon execution of <cdpart>:\IronKey.exe and <cdpart>:\windows\Ironkey.exe or their dependencies.

  1. Review detected applications in Policies > Exceptions > <Active Exception Policy> > Edit, then Exceptions > Add > Windows Exceptions > Application.
  2. Select any instances of Ironkey.exe and set the action to Ignore, then click OK.
     
  3. Proceed to Application Control Exception. If there are no instances, please proceed to step 4.
    Skip step 4 and 5 if all recorded instances of Ironkey.exe are set to ignore.
  4. Add an application to monitor: Add > Windows Exceptions > Application to monitor.
  5. Enter the following application to monitor: ironkey.exe.

Note: After entering an application to monitor it may take a while for new execution attempts to be reported to the SEPM. Repeat steps 1-3 to work with newly detected applications.

 

Application Control Exception - Prevent process injection upon execution of <cdpart>:\IronKey.exe and <cdpart>:\windows\Ironkey.exe or their dependencies.

  1. Add a file exception for each likely path to the primary executable:
    1. Add > Windows Exceptions > File
    2. Check the box next to Application Control
    3. Check the box next to Also exclude child processes
    4. Enter the full path to the executable

Note: There should be two exceptions per expected drive letter. (i.e. d:\ironkey.exe, d:\windows\ironkey.exe or e:\ironkey.exe, e:\windows\ironkey.exe)

The completed policy should look similar to the following. The number of necessary exceptions will vary if older and newer devices are used. If all of the IronKey devices are the same model and revision you should only see 2 File exceptions (Application Control) per drive letter and 2 Application exceptions (The hash won't change with drive letter, however duplicate hashes may be seen if the application was detected in more than one location).

 

 

Part II: Application and Device Control Policy

 Option 1: Blacklist style with read-only support on regular USB keys (Block writing to USB except IronKey)

  1. Follow TECH173724 to identify and add the device IDs related to IronKey devices for exclusion. In most cases this is done with a wildcard in the Device ID to simplify implementation. (e.g. USB\VID_1953&PID_02*)
    Note: Do not complete the steps in Use Device Control
  2. Follow TECH178276 to ensure ironkey.exe is allowed. Other applications may be required as defined by Imation support (ref. AA-02495)
  3. Add devices to blacklist in the hardware list using the same method as step 1. Some examples include:
    USB\VID_1953&PID_0202* - Ironkey Basic
    USB\VID_1953&PID_0201* - Ironkey Personal
  4. Navigate to the Device Control tab of the policy and add the blacklisted devices to the block section.
  5. Apply the policy to a test group and confirm desired operation.

 

Option 2: Whitelist style with all USB storage except IronKey blocked

  1. Follow the steps in TECH175220 to block USB devices.
  2. Using the same document, identify and add the device IDs related to IronKey devices for exclusion. You may choose to specify the entire Device ID for each IronKey you wish to use, or use a wildcard after the revision to allow any IronKey device.
  3. Ensure all necessary exclusions are added to the policy.
  4. Apply the policy to a test group and confirm desired operation.

Note: MTP devices such as newer smartphones may require additional class blocking. (e.g. Portable Device - Class ID: {eec5ad98-8080-425f-922a-dabf3de3f69a})

 

Additional Troubleshooting:
If an IronKey device is connected to a computer where the USB block policy is in place it will be disabled. Adding the exclusion in device control should re-enable the device. If no drive letters are seen after removing and reinserting the device, check the device manager and confirm it is not in a disabled state. Enable the device if necessary.


Attachments