USB Blocking Policy is not working when the files in USB storage are opened
Article ID: 325168
Updated On:
Products
Carbon Black Cloud Endpoint Standard
Issue/Introduction
- USB Blocking Policy is not working when the files in USB storage are opened by the apps from App Volumes.
- USB Blocking Policy is applied to a VDI desktop. If a USB Flash Disk is inserted into the client and App Volumes Package(s) are attached to the VDI, and the files stored on the USB Flash storage are opened by the apps deployed by App Volumes , USB Blocking Policy does not work and the user is still able to access files stored on the USB Flash storage.
- Inserting an Unapproved USB Drive into a computer will create a popup saying that access has been blocked but files can still be written to the volume.
Environment
- Carbon Black Cloud Console
- VMware App Volumes 4.x
- Carbon Black Cloud Windows Sensor: All Supported Versions
Cause
This issue is caused by the Full Bypass permission rule created for everything under App Volumes folder SVROOT in Carbon Black policy
Resolution
Modify the Carbon Black rules to an Allow "runs or is running" rule combined with an API bypass rule instead of Full Bypass for App Volumes folders. Whether to adopt this resolution is up to what level of monitoring user wants based on security/performance tradeoff decisions.
- Navigate to the Carbon Black Cloud console.
- Navigate to "Enforce" > "Policies", then choose the policy to be changed.
- Navigate to the "Prevention" tab.
- Expand the "Permissions" panel.
- Click "Add application path" and set "**\SVROOT**"
- Then do the following configuration:
- Set "Runs or is running" to Allow
- Set "Performs any API operation" to Bypass
Additional Information
- Impact/Risks:This causes a possible security risk as a security policy is bypassed.
- If this exclusion is not needed then deleting this Bypass rule will also prevent this behavior.
Feedback
Yes
No
Powered by
