search cancel

USB Mounted NVME drives are not blocked by Application Device Control on Windows

book

Article ID: 253047

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Security Endpoint Security Complete Endpoint Security for Servers Endpoint Protection Cloud Endpoint Protection for VDI

Issue/Introduction

You note that certain devices that contain NVME hard drives, some encrypted USB thumb drives on USB 3.0, 3.1 and USB-C do not get blocked or fully filtered by Symantec Endpoint Protection ADC rules.  They are allowed to mount and in some cases read and write data even with the 'Block Writing to USB' options set in the Symantec Endpoint Protection Manager ADC policies.

Environment

Windows 10, Windows 11 and Windows 2012 to and including Server 2022

Cause

The issue stems from Windows classifying the devices in some circumstances as a ''Fixed disk'' in the drives attributes, and then labeling the device as a SCSI device.  When windows does this the drive is not marked as a 'removable' drive and it is presented to Symantec Endpoint Protection as a mounted hard drive that cannot be removed on the fly or 'ejected'.

Resolution

This will be fixed in a new version of Symantec Endpoint Protection client that will also snoop the devices 'BUSTYPE' Attribute and apply additional logic to determine if the drive is actually removable despite windows labeling the device as a fixed mounted hard drive.