Data Copied from Local Disk to Microsoft Virtual Hard Disk (VHD) Generates Removable Storage Incidents
Article ID: 162799
Updated On:
Products
Issue/Introduction
Microsoft Virtual Hard Disks (VHD) on a DLP Endpoint Agent machine used to store sensitive, proprietary, data needed for daily business operations.
Cause
The system storage host controllers and adapters for VHD use a storage bus type similar to a Removable Storage device.
Resolution
To ignore the VHD monitoring from the Removable Storage channel monitoring, you can do this by modifying the Advanced Agent Setting as follows:
FileSystem.IGNORE_STORAGE_BUS_TYPE.str = BusTypeFileBackedVirtual
This should only ignore VHD, all other Removable Storage devices will be monitored as usual. The default value is ‘None’. Setting the value to ‘ALL’ will ignore all non USB disks.
The supported bus type values for FileSystem.IGNORE_STORAGE_BUS_TYPE.str are:
| FileSystem.IGNORE_STORAGE_BUS_TYPE.str value |
| All |
| NONE |
| BusTypeUnknown |
| BusTypeScsi |
| BusTypeAtapi |
| BusTypeAta |
| BusType1394 |
| BusTypeSsa |
| BusTypeFibre |
| BusTypeUsb |
| BusTypeRAID |
| BusTypeiScsi |
| BusTypeSas |
| BusTypeSata |
| BusTypeSd |
| BusTypeMmc |
| BusTypeVirtual |
| BusTypeFileBackedVirtual |
In order to check what is the bus type for the drive
1. Open Device Manager
2. Locate the storage device under 'Disk Drives'
3. Right click the drive and click properties
4. On the details tab choose 'Device instance path' from the properties dropdown
5. Note the Value
6. The bus type to ignore will be BusType<value>
For example system Drive SSD may have a value of
SCSI\DISK&VEN_NVME&PROC_<unique description of device>
In this case the bus type is BusTypeScsi
After changing the setting, save and apply the configuration.
Additional Information
If you instead wish to exclude specific devices from detection, you may consider Using the Device ID Utilities to Manage and add endpoint devices and Configure the Endpoint Device Class or ID condition as an exception.
Feedback
