Data Copied from Local Disk to Microsoft Virtual Hard Disk (VHD) Generates Removable Storage Incidents
Article ID: 162799
Updated On:
Products
Issue/Introduction
Microsoft Virtual Hard Disks (VHD) on a DLP Endpoint Agent machine used to store sensitive, proprietary, data needed for daily business operations.
Cause
The system storage host controllers and adapters for VHD use a storage bus type similar to a Removable Storage device.
Resolution
To ignore the VHD monitoring from the Removable Storage channel monitoring, you can do this by modifying the Advanced Agent Setting as follows:
FileSystem.IGNORE_STORAGE_BUS_TYPE.str = BusTypeFileBackedVirtual
This should only ignore VHD, all other Removable Storage devices will be monitored as usual. The default value is ‘None’. Setting the value to ‘ALL’ will ignore all non USB disks.
The supported bus type values for FileSystem.IGNORE_STORAGE_BUS_TYPE.str and related to them bus number values are:
| FileSystem.IGNORE_STORAGE_BUS_TYPE.str value | Bus Number |
| All | N/A |
| NONE | N/A |
| BusTypeUnknown | 0 |
| BusTypeScsi | 1 |
| BusTypeAtapi | 2 |
| BusTypeAta | 3 |
| BusType1394 | 4 |
| BusTypeSsa | 5 |
| BusTypeFibre | 6 |
| BusTypeUsb | 7 |
| BusTypeRAID | 8 |
| BusTypeiScsi | 9 |
| BusTypeSas | 10 |
| BusTypeSata | 11 |
| BusTypeSd | 12 |
| BusTypeMmc | 13 |
| BusTypeVirtual | 14 |
| BusTypeFileBackedVirtual | 15 |
In order to check what is the Bus Number for the drive, go to Device Manager, click Properties on a drive listed under Disk drives and under Details > Location Information confirm the listed Bus Number.
After changing the setting, make sure to apply the Agent Configuration.
In order to do it, click on on "Apply Configuration" on the Agent Configuration page and also "Update Configuration" for the groups that have the red question mark (!) besides the configuration name.after it redirects you to the Agent Groups page.
Feedback
