App Control: How to Block Reads on Unapproved USB Devices
search cancel

App Control: How to Block Reads on Unapproved USB Devices


Article ID: 286427


Updated On:


Carbon Black App Control (formerly Cb Protection)


To block reads on Unapproved USB Devices


  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions


A Custom Rule that uses the Advanced Rule Options will need to be created.

Enable Advanced Rule Options:
  1. Log in to the Console and navigate to https://ServerAddress/support.php > Advanced Configuration.
  2. Software Rules > Advanced Rule Options > check: Showing advanced rule options > Update.
Create the Custom Rule:
  1. Navigate to Rules > Software Rules > Custom > Add Custom Rule.
  2. Use the following details:
    • Status: Disabled
    • Rule Type: Expert
    • Operations: Open, Open Execute Intent, Read, Mmap Read
    • Actions: Block
    • Path or File: Any
    • Process: Any
    • User or Group: Any (Can be a specific user if desired)
    • Policies: Selected policies > relevant Test Policy (Recommended to test first)
    ***DO NOT enable the rule yet, or all reads in the environment will be blocked***
  3. Save & Exit the Disabled Custom Rule.
  4. Edit the Custom Rule.
  5. Scroll down to the "Advanced" section of the Custom Rule. This only appears after the feature is enabled and the Custom Rule is saved.
  6. Change File Device Type to: Unapproved Removable.
  7. Enable & Save the Custom Rule.

Additional Information

  • Files can still be seen, but not opened 
  • Files can still be copied at the command prompt to a local drive
  • Files can be displayed with the DOS Type command
  • Creating an additional rule just above this one in the rule stack with a Read Allow permission will allow tuning this for specific environmental needs