Mobile Phone, External Hard Drive, or Other USB Devices Categorized as Removable: No
search cancel

Mobile Phone, External Hard Drive, or Other USB Devices Categorized as Removable: No

book

Article ID: 290731

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Mobile Phones, external hard drives and other USB Devices are showing in the Console as Removable Device: No

Environment

  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions

Cause

The Agent will rely on the Operating System to determine the device's Media Type. The Media Type will depend on the device/drivers/method used to connect to the endpoint.

  • The Agent only tracks mounted volumes. 
  • Some phones, cameras, and other media devices use the Media Transfer Protocol (MTP) or Picture Transfer Protocol (PTP) to transfer media files to/from the machine without ever mounting as a volume.
    • When devices are connected in this way the Agent will not track these devices, and they will not show up on the App Control Console's Devices page.
    • If possible, connect these devices in “USB Mass Storage” mode instead of “MTP/PTP transfer” mode.
    • This should allow the device to report as Removable to the Agent and be properly managed within the Console.

Resolution

Only Removable Devices shown in the Console > Assets > Devices can be Approved, Banned or blocked by App Control Rules.

Additional Information

  • Fixed Devices are included in the Device Inventory, but they cannot be Approved, Banned or blocked by App Control Rules.
  • App Control must rely on the information provided by a device to determine whether it is Fixed or Removable.
    • On Windows, when the Device Media Type shows as SCSI the device will not be detected as Removable. To confirm:
      • Navigate to System Information > Components > Storage > Disks > relevant Disk Drive > Media Type.
      • Alternatively, the following PowerShell command could also be used to confirm the Interface type shows as SCSI or USB: 
        Get-CimInstance Win32_DiskDrive | Format-Table -Property DeviceID,Caption,Model,Description,InterfaceType
  • Files residing on Removable Devices that are not mounted as volumes cannot be executed on the host machine via this protocol, but files from the host machine can be transferred to/from these devices and will not report or block these writes, even if a File Creation Control Rule is in effect.
Powered by Wolken Software