search cancel

How to block USB hard drives, but allow reading specific USB drives in the Application and Device Control Policy

book

Article ID: 155346

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How to block USB hard drives in Symantec Endpoint Protection (SEP), but allow reading specific USB drives in the Symantec Endpoint Protection Manager (SEPM) Application and Device Control (ADC) Policy

Resolution

Identify the Device ID:

  1. On the Windows taskbar, click Start > Settings > Control Panel > System.
  2. On the Hardware tab, click Device Manager.
  3. In the Device Manager list, double-click the device.
  4. In the device's Properties dialog box, on the Details tab, select the Device ID (on Windows XP) or Device Instance Path (Windows Vista or 7).
  5. Press Control+C to copy the ID string.

In case of difficulties in finding the correct 'Device ID' for building the rule, remember that in DevViewer you can change the 'View Style' to "View devices by connection", which may help, particularly when troubleshooting USB exclusions.

Add the Hardware Device into SEPM policy:

  1. In the SEPM, select the Policies view.
  2. In the upper left corner of the console, under the View Policies section, click on Policy Components to expand the sub-list.
  3. Under Policy Components, select Hardware Devices.
  4. Under Tasks, select Add a Hardware Device
  5. Type in the Name to identify the device (example: Administrator's USB Flash drive).
  6. Select the Device ID option, click in the text box and use CTRL-V to paste the Device ID copied from the DevViewer tool.
  7. Click OK.

Add Disk Drives and the Hardware Device to allow to the Devices Excluded From Blocking list:

  1. In the SEPM, Under View Policies, select Application and Device Control
  2. Right click the appropriate Application and Device Control Policy and select Edit.

Use Application Control:

  1. Select the Application Control view.
  2. Select (Check Mark) "Block writing to USB drives"  and select Edit.
  3. Select "Block writing to all files and folders", under "Do not apply to the following files and folders", select Add...
  4. Under "File or Folder Name To Match" enter a * (An Asterisk).
  5. Select (Check mark) "Only match on the following device id type", press Select.
  6. Select (Highlight) the device added to the hardware list (The unique USB device added previously.) and press OK.
  7. Press OK to close windows until at the "Application and Device Control Policies" window of the SEPM.

Select "Assign the Policy"
Select the group to assign the edited policy to.
Press "Assign"

When the clients get the new policy, they may need to be rebooted for the policy to work correctly. If so, there will be a notification message on the client that a reboot is necessary for the new policy change, and the client will be listed in the Reboot Required logs in the SEPM.
 
Use Device Control:

  1. In the SEPM, Under View Policies, select Application and Device Control
  2. Right click the Application and Device Control Policy and select Edit.
  3. Select the Device Control view.
  4. Under the Blocked Devices section, click Add, select USB and click OK. (If Disk Drives isn't listed, it is already added as a Blocked Device).
  5. Under Devices Excluded From Blocking, click Add.
  6. Select Human Interface Devices and the devices to restrict one of its functions. click OK.
  7. Click OK to the Application and Device Control policy window and assign this policy to the client group.