search cancel

Internal SCSI drive is detected as an external USB drive.

book

Article ID: 184660

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention

Issue/Introduction

An internal SCSI drive is detected as an external USB drive in Data Loss Prevention.
You want to prevent incidents from being created for data transfers to this internal SCSI drive.

Environment

DLP 15.x

Resolution

A way to stop incidents from being generated against an internal SCSI drive (as if it were an external USB), is to use the DeviceID.exe included with the agent tools to scan the SCSI deviceid and add it to the device whitelist.

1. The 'DeviceID.exe' is inside the Tools folders in the 'Symantec_DLP_15.x_Agent_Win-IN.zip'. Copy this tool to the system where the removable drive is connected. Then run the tool from the command line. It will generate the regex of the removable drive, for example, SCSI\\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\\5&1EC51BF7&0&000000

2. Login to the DLP Enforce console, navigate to 'System' --> 'Agents' --> 'Endpoint Devices', click 'Add Device'.

3. In the 'Device Definition (Regex)' field, input the regex that was generated by the DeviceID.exe tool in step1.

4. Save the device.

5. Edit any policy for which you would like to put this device in exception. Click 'Add Exception'.

6. From the Exception Type list, choose 'Endpoint Device Class or ID'.

7. Give the Exception a name and select the device created in step 3.

8. Save the policy.

Now, this device is whitelisted for this policy, and violations of this policy will not be detected on this device.