Exceptions to allow devices do not override rules that block interface types

Article:TECH102252  |  Created: 2007-01-30  |  Updated: 2007-01-04  |  Article URL http://www.symantec.com/docs/TECH102252
Article Type
Technical Solution


You create a Device Control rule set that blocks a type of interface, but that has an exception to allow a specific type of device. The device is still blocked. For example, if you block CD/DVD but allow SCSI, the result is that both IDE and SCSI CD-Roms are blocked.


This behavior is as designed. When there is an overlap between device types and interface methods, the most restrictive rule applies. If you allow a device but block its interface, or allow the interface but block the device, the device will be blocked.

Note: The Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control erroneously states that blocking a port or interface but allowing a specific device on it allows the device to work.

Supplemental Materials


Legacy ID


Article URL http://www.symantec.com/docs/TECH102252

Terms of use for this information are found in Legal Notices