USB Blocking Policy is not working when the files in USB storage is opened by the apps from App Volumes
book
Article ID: 325168
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard
Issue/Introduction
Symptoms: USB Blocking Policy is applied to a VDI desktop. If a USB Flash Disk is inserted into the client and App Volumes Package(s) are attached to the VDI, and the files stored on the USB Flash storage are opened by the apps deployed by App Volumes , USB Blocking Policy does not work and the user is still able to access files stored on the USB Flash storage.
Environment
Carbon Black Cloud Console
VMware App Volumes 4.x
Cause
This issue is caused by the Full Bypass permission rule created for everything under App Volumes folder SVROOT in Carbon Black policy
Resolution
Modify the Carbon Black rules to an Allow "runs or is running" rule combined with an API bypass rule instead of Full Bypass for App Volumes folders. Whether to adopt this resolution is up to what level of monitoring user wants based on security/performance tradeoff decisions.
Navigate to the Carbon Black Cloud console.
Navigate to "Enforce" > "Policies", then choose the policy to be changed.
Navigate to the "Prevention" tab.
Expand the "Permissions" panel.
Click "Add application path" and set "**\SVROOT**"
Then do the following configuration:
Set "Runs or is running" to Allow
Set "Performs any API operation" to Bypass
Additional Information
Impact/Risks: This causes a possible security risk as a security policy is bypassed.