Symantec Endpoint Protection Device Control: excluding devices from blocking show inconsistent results
| Article:TECH145804 | | | Created: 2010-12-08 | | | Updated: 2012-04-20 | | | Article URL http://www.symantec.com/docs/TECH145804 |
Problem
You are using the Application and Device Control (ADC) functionality within Symantec Endpoint Protection (SEP) 11.x to block certain hardware devices. Blocking one group of devices and allowing a sub-group does not seem to work as intended.
Error
An example of a policy that may cause problems:
| BLOCK | USB | {36fc9e60-c465-11cf-8056-444553540000} |
| ALLOW | HID (mouse/keyboard) | {745a17a0-74d3-11d0-b6fe-00a0c90f57da} |
| ALLOW | Disk Drives | {4d36e967-e325-11ce-bfc1-08002be10318} |
The policy is meant to block all USB devices apart from keyboard/mouse and disk drives - but testing the policy on a client you may find that certain USB hard-drives or USB sticks are allowed while some are still blocked, or more specifically that USB drives that have been used previously on this specific machine are still allowed, while new USB drives are blocked.
Cause
The explanation lies in the way that a new device is mounted when it is first plugged in to a machine. Initially the USB hardware device has to be loaded and recognized, before the OS creates the disk drive and mount point associated with the device.
USB-CONTROLLER
{36fc9e60-c465-11cf-8056-444553540000} - new USB hardware device loaded
{4d36e967-e325-11ce-bfc1-08002be10318} - new disk drive detected
F:\ - finally a new drive mount point is created
If the initial device ({36..} above) is blocked in the SEP client Device Control policy, then when plugging in a new device the sub-devices below it will not be created by the OS (even though they would have been allowed by SEP, had they been created).
Solution
One work-around is to create exceptions matching the same level in the hardware tree as the device group you are blocking. The DevViewer tool on the SEP CD can be used to find the specific Device Instance Id string to allow.
For example the following rule does work to allow a USB device on first connection (if it matches the Vendor and PID strings below).
| ALLOW | My Disk Drive | DeviceInstanceId = "USB\VID_1234&PID_9876\*" |
While the following rule (as in the first example above) does not work, as it attempts to allow a sub-device of the blocked device.
|
ALLOW |
Disk Drives | Class = {4d36e967-e325-11ce-bfc1-08002be10318} |
A separate workaround, which may be easier to maintain if there are many different USB drives in use, is to use a list of all hardware types to block rather than a "block-all-USB" rule together with an allow-list.
The Symantec Endpoint Protection Manager (SEPM) console has a number of different hardware id strings defined already, for devices such as Scanners, Cameras, Infrared, Bluetooth, Modems, Smart Cards, Printers, which can be used to create hardware restriction policies.
|
|
Related Articles
Article URL http://www.symantec.com/docs/TECH145804
Terms of use for this information are found in Legal Notices
Thank you.