How to create a rule that will allow only specific USB’s on to your network.
Article ID: 177577
Updated On:
Products
Endpoint Protection
Issue/Introduction
You want to create a policy that will allow a specific list of usb drives.
Resolution
Adding external USB drives to the Hardware Devices list
1. Open the Symantec Endpoint Protection Manager
2. Click on Policies
3. Expand Policy Components
4. Click on Hardware Devices
5. Click Add a Hardware Device...
6. In the field Device Name: usbstorage Note: This can be anything
7. Choose Device ID: USBSTOR\* (Note: This must be all capital letters and must be spelled correctly)
8. Click OK
How to add USB by device ID
On the Symantec_Endpoint_Protection_11.0.XXXX.XXX_MRX_AllWin_EN_CD2.xxx you will find the TOOLS/NOSUPPORT/DEVVIEWER. Download the DevViewer.exe file.
1. Place a USB thumb drive in the USB port
2. Open the DevViewer utility
3. Expand Disk drives in the DevViewer
4. Select USB Flash Memory USB Device
5. In the right hand panel under USB Flash Memory USB Device right click in the panel and choose Copy Device ID.
6. Open the Symantec Endpoint Protection Manager
7. Click on Policies
8. Expand Policy Components
9. Click on Hardware Devices
10. Click Add a Hardware Device...
11. In the field Device Name: Allow USB (Note: This can be anything)
12. Choose Device ID: and paste the device id for the USB in the field
13. Click OK
How to create a rule that will allow only specific USB’s on to your network.
2. Edit Application and Device Control
3. Highlight Application Control
4. Check the box next to Block writing to USB drives
5. Choose Edit
6. Under the Rules column choose Add > Add Condition File > Folder Access Attempts
7. The File and Folder Access Attempts Folder Access Attempts must be highlighted
8. On the Properties tab Enable this rule should be checked
9. Under Apply this rule to the following files and folders:
10. Click Add
11. In the File or Folder Name To Match field type *
12. Use wildcard matching(* and ? supported) should be checked
13. Check the box Only match files on the following device id type
14. Choose Select button
15. Browse to the Device Name: usbstorage (Note: this may have been named something else based on your naming convention)
16. Click OK
17. Under do not apply to the following files and folders choose Edit
18. In the File or Folder Name To Match field type *
19. Use wildcard matching(* and ? supported) should be checked
20. Check the box Only match files on the following device id type
21. Choose Select button
22. Browse to the Device Name: Allow USB (Note: this may have been named something else based on your naming convention)
23. Click OK
24. Select the Actions tab
25. In the Read Attempt column choose Block access – ( Note: Enable logging if you would like to log the attempts)
26. Check the box Notify User:
27. Create a notification by typing something in the field Note: this can be what ever you want
28. In the Create, Delete, or Write Attempt column choose block access
29. Check the box Notify User:
30. Create a notification by typing something in the field Note: this can be what ever you want
31. Click OK
32. Click OK again
33. Apply to the groups you want to associate this policy with
34. Reboot clients
Note: This will work on a 32bit server but will not work on a 64bit server but all features must be installed. AntiVirus and Antispyware, Proactive Treat Protection, Network Threat Protection
Note: This will work on all workstations but all features must be installed. AntiVirus and Antispyware, Proactive Treat Protection, Network Threat Protection
References
1. Open the Symantec Endpoint Protection Manager
2. Click on Policies
3. Expand Policy Components
4. Click on Hardware Devices
5. Click Add a Hardware Device...
6. In the field Device Name: usbstorage Note: This can be anything
7. Choose Device ID: USBSTOR\* (Note: This must be all capital letters and must be spelled correctly)
8. Click OK
How to add USB by device ID
On the Symantec_Endpoint_Protection_11.0.XXXX.XXX_MRX_AllWin_EN_CD2.xxx you will find the TOOLS/NOSUPPORT/DEVVIEWER. Download the DevViewer.exe file.
1. Place a USB thumb drive in the USB port
2. Open the DevViewer utility
3. Expand Disk drives in the DevViewer
4. Select USB Flash Memory USB Device
5. In the right hand panel under USB Flash Memory USB Device right click in the panel and choose Copy Device ID.
6. Open the Symantec Endpoint Protection Manager
7. Click on Policies
8. Expand Policy Components
9. Click on Hardware Devices
10. Click Add a Hardware Device...
11. In the field Device Name: Allow USB (Note: This can be anything)
12. Choose Device ID: and paste the device id for the USB in the field
13. Click OK
How to create a rule that will allow only specific USB’s on to your network.
2. Edit Application and Device Control
3. Highlight Application Control
4. Check the box next to Block writing to USB drives
5. Choose Edit
6. Under the Rules column choose Add > Add Condition File > Folder Access Attempts
7. The File and Folder Access Attempts Folder Access Attempts must be highlighted
8. On the Properties tab Enable this rule should be checked
9. Under Apply this rule to the following files and folders:
10. Click Add
11. In the File or Folder Name To Match field type *
12. Use wildcard matching(* and ? supported) should be checked
13. Check the box Only match files on the following device id type
14. Choose Select button
15. Browse to the Device Name: usbstorage (Note: this may have been named something else based on your naming convention)
16. Click OK
17. Under do not apply to the following files and folders choose Edit
18. In the File or Folder Name To Match field type *
19. Use wildcard matching(* and ? supported) should be checked
20. Check the box Only match files on the following device id type
21. Choose Select button
22. Browse to the Device Name: Allow USB (Note: this may have been named something else based on your naming convention)
23. Click OK
24. Select the Actions tab
25. In the Read Attempt column choose Block access – ( Note: Enable logging if you would like to log the attempts)
26. Check the box Notify User:
27. Create a notification by typing something in the field Note: this can be what ever you want
28. In the Create, Delete, or Write Attempt column choose block access
29. Check the box Notify User:
30. Create a notification by typing something in the field Note: this can be what ever you want
31. Click OK
32. Click OK again
33. Apply to the groups you want to associate this policy with
34. Reboot clients
Note: This will work on a 32bit server but will not work on a 64bit server but all features must be installed. AntiVirus and Antispyware, Proactive Treat Protection, Network Threat Protection
Note: This will work on all workstations but all features must be installed. AntiVirus and Antispyware, Proactive Treat Protection, Network Threat Protection
References
Title: 'How to block programs extensions from running from removable drives.'
Document ID: 2009020313373948
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2009020313373948?Open&seg=ent
Feedback
Yes
No
Powered by
