Exceptions to allow devices do not override rules that block interface types
|Article:TECH102252|||||Created: 2007-01-30|||||Updated: 2007-01-04|||||Article URL http://www.symantec.com/docs/TECH102252|
You create a Device Control rule set that blocks a type of interface, but that has an exception to allow a specific type of device. The device is still blocked. For example, if you block CD/DVD but allow SCSI, the result is that both IDE and SCSI CD-Roms are blocked.
This behavior is as designed. When there is an overlap between device types and interface methods, the most restrictive rule applies. If you allow a device but block its interface, or allow the interface but block the device, the device will be blocked.
Note: The Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control erroneously states that blocking a port or interface but allowing a specific device on it allows the device to work.
Article URL http://www.symantec.com/docs/TECH102252