Troubleshooting USB Device Blocking / Approvals
search cancel

Troubleshooting USB Device Blocking / Approvals

book

Article ID: 285908

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • USB device still blocked after approval
  • USB device not blocking as expected

Environment

  • Carbon Black Cloud Sensor: All Supported versions
  • Microsoft Windows: All Supported Versions
  • macOS: All Supported Versions

Cause

  • Incompatible device
  • Sensor has not yet received the policy change
  • Sensor connection issue to content.carbonblack.io

Resolution

  1. Confirm the device is categorized as USB Mass Storage using the repcli device all command
  2. Confirm when the last Manifest Content Update was and if there are any ManifestDownloadFailure Alarms:
    1. Open an admin command prompt and run the command: 
      "C:\Program Files\Confer\RepCLI.exe" status | findstr Manifest
    2. Example output: 
      EEDR Reporting Revision[108]: Enabled (Manifest)
     Unified Binary Store (UBS) Metadata Reporting Revision[27]: Enabled (Manifest)
     Unified Binary Store (UBS) Upload Revision[31]: Enabled (Manifest)
     Ransomware Detection Revision[6]: Enabled (Manifest)
     Ransomware Prevention Revision[10]: Enabled (Manifest)
     Device Control Reporting Policy Revision[11]: Enabled (Manifest)
     Privilege Escalation Report Revision[4]: Enabled (Manifest)
     Privilege Escalation Prevention Revision[3]: Enabled (Manifest)
     Carbon Black Threat Intelligence Detection Revision[6]: Enabled (Manifest)
     AMSI Threat Intelligence Detection Revision[45]: Enabled (Manifest)
     Credential Theft Detection Revision[16]: Enabled (Manifest)
     Credential Theft Prevention Revision[10]: Enabled (Manifest)
     Carbon Black Threat Intelligence Prevention Revision[6]: Enabled (Manifest)
     AMSI Threat Intelligence Prevention Revision[21]: Enabled (Manifest)
     Disguised Names Detection Revision[15]: Enabled (Manifest)
     IoA rules Revision[3]: Enabled (Manifest)
   Last Manifest Content Update Time[MM/DD/YYYY hh:mm:ss]

ManifestDownloadFailure: <Number> times, MM/DD/YYYY hh:mm:ss
  3. Confirm that the policy change occured before the last Content Update time shown in step 2B.
    • Settings > Audit Log
  4. ManifestDownloadFailures will cause USB functionality to not work correctly. If you see failures in the result of step 2B, refer to Getting started with Content or Manifest download failures
  5. If the issue is still occuring:
    1. Collect a screenshot of the "repcli device all" command result (Step 1)
    2. Collect sensor logs
    3. Open a Technical Support Case for further assistance
Powered by Wolken Software