Data Loss Prevention

 View Only
Back to Library

Create White List of USB Disk for DLP Agent 

Jan 14, 2012 08:18 AM

Symantec Data Loss Prevention (DLP) Endpoint Prevent detects and prevents sensitive data from leaving from your desktop or your laptop endpoint computers.

For example, we can create a policy to prevent the keyword 'test' to be leaked out. Then, on the enpoint computer, if a user copy a file that contains the word 'test' to a USB disk, this copy action will be blocked by DLP Agent:

On the other hand, maybe you want to allow some special USB disks to be used on your corporation. For example, you bought a set of encrypted USB disk. You want these USB disks to be a 'White List' because all the files that copied into these disks will be encrypted automatically.

Below is a sample to create this kind of 'White List' of USB disk for DLP Agent.

We assume that there is already a policy to detect the keyword 'test'.

1. There is a tool named 'DeviceID.exe' on the 'SymantecDLPWinAgentTools_11.1.0.zip'. Copy this tool to the desktop that the USB disk connected to, then run the tool from the command line. It will generate the regex of the USB disk:

2. Login to the DLP Enforce, navigate to 'System' --> 'Agents' --> 'Endpoint Devices', click 'Add Device':

3. In the 'Device Definition (Regex)' field, input the regex that generated by the DeviceID.exe in step1:

4. Choose to edit the policy that detect the keyword 'test', click 'Add Exception':

5. From the Exception Type list, choose 'Endpoint Device Class or ID':

6. In the 'Endpoint Device Class or ID' of the 'Conditions', choose the device created on step3:

7. Save and apply this policy.

Then, this USB Disk will be a white list on your corporation. A file that contains the word 'test' be copied to this USB disk will not be blocked again.

Statistics
0 Favorited
24 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

DLP Freak
Aug 01, 2019 11:51 AM

That worked Mac!  i appreciate the tip.  

Mac Howell
Jul 30, 2019 01:09 PM 

@DLP Freak try this, USB\\VID_04E8&\S*

DLP Freak
Apr 29, 2019 03:44 PM

Throwing this out there because i too am stuck. (DLP V15.5)

Use case is to block writes to all phones, starting with Samsung

Device ID is USB\VID_04E8&PID_6860

VID_04E8=(Samsung electronicss)

&PID_6860 =(Galaxy Series)

USB\VID_04E8&PID_6860\33474D574D303098 from an Endpoint incident is equal to a specific phone so "33474D574D303098" is the serial number or unique identifier.

I can detect writes to that specific phone using USB\\VID_04E8&PID_6860\\33474D574D303098

I've tried the following regular expressions when creating an Endpoint Device. I've had no success identifying a write to another samsung phone. I don't beleive DLP can identify a device "family", only specific devices.

USB\\VID_04E8*
USB\\​​VID_04E8​&PID_*
USB\\​VID_04E8\​&PID_*
USB\\VID_04E8&PID_6*
USB\\VID_04E8&PID_6860*
USB\\VID_04E8&PID_6860\*
USB\\VID_04E8&PID_6860\\
USB\\​VID_04E8&PID_6860\\​*
USB\\​​VID_04E8\​&PID_6860\\​​*
USB\\​VID_04E8&PID_68??
USB\\​​VID_04E8\​&PID_68??
USB\\​VID_04E8&PID_6\​d[1-8]\​d
USB\\​VID_04E8\​&PID_6\​d[1-8]\​d

Tokyo2040
Jul 19, 2017 03:23 PM

Its possible to use a generic device ID to block all samsung telefhone wiht android ? 

Do some combination for testing wiithout results

Examples:

Device  SM-G360M
Dev ID: USB\VID_04E8&PID_6860\16B963C8
Regex:  USB\\VID_04E8&PID_6860\\16B963C8

USB\\VID_04E8

USB\\VID_04E8*

\\VID_04E8

\\VID_04E8*

\*VID_04E8*\\

 

Morgado
Sep 28, 2016 04:44 AM

Hello,

 You should use:

 USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\10FD277A&0

 

For example, I have on my sys a policy where the Device ID excluded is:

USBSTOR\\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2\.0&REV_PMAP\\50E549C695B3BEB1698B1D16&0

BR,

deepak kasurde
Sep 26, 2016 10:30 AM

which part for device we need to copy regex or device id

after run the tool i got below mention output

 

Device  DataTraveler G3
Dev ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_KINGS
TON&PROD_DATATRAVELER_G3&REV_1.00#0013729B678DFBA0A51F253B&0#
Regex:  WPDBUSENUMROOT\\UMB\\2&37C186B&0&STORAGE#VOLUME#_\?\?_USBSTOR#DISK&VEN_K
INGSTON&PROD_DATATRAVELER_G3&REV_1\.00#0013729B678DFBA0A51F253B&0#

********************************************************************************

Device
Dev ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_SANDI
SK&PROD_CRUZER_BLADE&REV_2.01#4C530103141119101191&0#
Regex:  WPDBUSENUMROOT\\UMB\\2&37C186B&0&STORAGE#VOLUME#_\?\?_USBSTOR#DISK&VEN_S
ANDISK&PROD_CRUZER_BLADE&REV_2\.01#4C530103141119101191&0#

deepak kasurde
Sep 26, 2016 10:23 AM

i have followed same step it is not working for 14.5

Migration User
Apr 01, 2015 07:37 AM

Dears ,

is there is a way to get the ID for all Blackberry devices , not for one device ?

Ambesh Sharma
Dec 25, 2014 01:12 AM

Awesome yaar...grt work.

Related Entries and Links

No Related Resource entered.