Block or allow devices using Endpoint Protection

book

Article ID: 155455

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

This article describes how to block or allow specific devices in Symantec Endpoint Protection (SEP) using Application and Device Control (ADC) features.

Resolution

There are two ways that devices can be identified in SEP:

  • by Class ID
  • by Device ID

There are advantages and disadvantages of using either method and there is a different functionality for each method.

This article discusses these two IDs and how to use them in SEP.

Class ID

A Class ID is a generic category of devices that are designated by the Windows operating system. A Class ID is always listed as a GUID. Here are examples of Class IDs (GUID):

  • Disk Drives - {4d36e967-e325-11ce-bfc1-08002be10318}
  • Storage Volumes - {71a27cdd-812a-11d0-bec7-08002be2092f}
  • USB devices - {36FC9E60-C465-11CF-8056-444553540000}
  • DVD/CD-ROM - {4D36E965-E325-11CE-BFC1-08002BE10318}
  • IDE - {4d36e96a-e325-11ce-bfc1-08002be10318}
  • PCMCIA - {4d36e977-e325-11ce-bfc1-08002be10318}

In SEP, wildcards are not supported on Class IDs.

For a list of Class IDs, click here.

Device ID

A Device ID (also known as a Device Instance ID in Windows) is a specific ID that is given to each device. A Device ID can be more effective for blocking or allowing devices because it is made by concatenating a list of data about the particular device. Device IDs are generally in a more readable format.

Here are two common formats for Device IDs:

<class>\<type>&<vendor>&<model>&<revision>\<serial number>

<class>\<type><vendor><model><revision>\<serial number>

Here are examples of Device IDs:

  • SanDisk Micro Cruzer - USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_MICRO&REV_2033\0002071406&0
  • Apple iPod - USBSTOR\DiskApple___iPod____________1.62\4&3656B0&0
  • Hitachi IDE hard drive - IDE\DISKHTS541060G9SA00_________________________MB3IC60H\4&14AA9DA8&0&0.0.0

For Device IDs wildcards are supported: * and ?.

  • Asterisk [*] - means zero or more of any character
  • Question mark [?] - means a single character of any value

Here are examples of using wildcards:

Any USB storage device

  • USBSTOR*

Any USB Disk

  • USBSTOR\DISK*

Any USB SanDisk drive

  • USBSTOR\DISK&VEN_SANDISK*

Any USB SanDisk Micro Cruzer drive

  • USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_MICRO*

A specific SanDisk device

  • USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_MICRO&REV_2033\0002071406&0

It is recommended to use Device IDs over Class IDs in most cases.

Hardware Devices

Both the Class IDs and the Device IDs can be added to the SEPM under Policy Components > Hardware Devices section.

Device Viewer

On the SEP CD or DVD, under the Tools\NoSupport folder look for Device Viewer (DevViewer). The Device Viewer can be used to get either the Class ID or the Device ID of a particular device. It would assist copying the IDs to the Clipboard and then paste into the SEPM.

The Device Viewer also gives the ability to view devices by type or by connection.

Device Control

SEP has the ability to block devices using either Application Control or Device Control. Device Control gives the ability to completely disable a device. When a device has been disabled this way, it will be seen as disabled in the Windows Device manager. Device Control can ensure that the device specified cannot be used in the SEP client system at all. Device Control can use both Class IDs and Device IDs.

Device Control can also block devices at any node in the tree. If a device is blocked at one node then all devices below that node (all children) will be blocked also. Conversely if a device is excluded on a particular node, then all the devices above that node will also be excluded.

Note: Devices such as Androids, iphones, and other types of portable devices will not be able be charged when blocked by deviceid with Device Control.

Application Control

Application Control feature assists in performing more granular blocking of devices. Application Control is a very powerful engine that controls blocking or allowing reads, writes or execute commands on a device, including controlling what applications may be used.

For example: Creating a policy using Application Control to block any program that is running off a USB drive from changing the registry or modifying files on the host computer. With Application Control, Device IDs could be used. Class IDs will not work. Device IDs are allowed in the following places:

Program Definition

  • Application rule process
  • Launch process
  • Terminate process

File Definition

  • File Access
  • Load DLL

Only blocking a device with Application Control that is at the end of a node in the tree could be performed, unless the end node is "Generic volume" or "Storage volume". In these two cases, the device that is one up from the last node (the parent of the last node) would be blocked.

Most Device IDs that are supported by Application Control will have one of these types:

USBSTOR

  • Example: USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_MICRO&REV_2033\0002071406&0

FCD

  • Example: FDC\GENERIC_FLOPPY_DRIVE\4&371082C9&0&0

IDE

  • Example: IDE\DISKHTS541060G9SA00_________________________MB3IC60H\4&14AA9DA8&0&0.0.0

SCSI

  • Example: SCSI\DISK&VEN_WDC_WD50&PROD_00KS-00MNB0&REV_700.\4&1291CDED&0&000

Note: Application Control can only block devices that are seen by Windows as disk drives and have drive letters associated with them. Devices that do not add drive letters (such as an iPhone or iPad) will need to be blocked using Device Control.

USB Root Hub blocking of devices except mouse and keyboard Reference: https://support.symantec.com/en_US/article.TECH161779.html