To block or not to block... why is it so hard?

Created: 23 Apr 2008 | Updated: 23 May 2010 | 16 comments

Jason1222

Good morning all,

Here is the scenario:

I have a Windows XP SP2 machine with a Dual Channel Fibre Card connected to an external Framestore via 2 dual channel Fibre cables.

Windows deteects the Frame Store as a "Generic Volume". It doesn't really matter to me if the USB ports are blocked or not, what I do want is that No USB keys, harddrives or any other storage peripheral be allowed to be "enabled" on my mahcines, thus not allowing data to be "taken" from the network.

When I enable device control for "Mass Storage", the frame store gets blocked... 1 step forward and 2 steps back. I tried enabling access for "Disk Drives" and for "SCSI" (ATTO Celerity FC, falls under SCSI cards in Device Manager) but to no avail.

Is there some way around this? Or should I just "disable" USB support in the BIOS and leave things the way they are now? Hence, no access to anything USB (not even a mouse) and have access to my Framestore...

Thanks in advance.

Discussion Filed Under:

Security, Endpoint Protection (AntiVirus) - 11.x

Comments RSS Feed

Comments 16 Comments • Jump to latest comment

jeffwichman

To block or not to block... why is it so hard? - Comment:23 Apr 2008 : Link

You should be able import the Class ID of your device you want to allow (exclude from blocking). You need to look in HKEY_Local_Machine\SYSTEM\CurrentControlSet\Control\Class for the CLSID of the device. I have not tested this but believe that is how you would exclude the device in question.

Cheers

Toast

To block or not to block... why is it so hard? - Comment:23 Apr 2008 : Link

First the word of caution. If you disable all USB items, you could disable keyboards and mice that are USB too.

Ok moving on, personally I found using the device id to be easier. You get the device id from the device properties window(details tab), from device manager. Just copy(ctrl-c) the id in the bottom pane and paste it into a new hardware device in SEP. Allow the new hardware device and you are in business. You can also find the ids in the logs if you are logging but not blocking.

For our testing here, we disabled all mass storage and tested 3 different model kingston USB drives. We forced content down(updated policy on test machine just to be sure) and tested. All disabled. Then we added the device id of our company approved model to the exception list, forced content down(updated policy on test machine just to be sure) and tested again. 1 approved drive working fine and 2 noncompany drives blocked. And there was much rejoicing.

-Steve

Jason1222

To block or not to block... why is it so hard? - Comment:23 Apr 2008 : Link

dispater and Toast

Thank you very much for the DeviceID's. I had heard somewhere that this feature had been enabled, but was not sure if they could literally be added into the SEPM.

And thank you again Toast, I know about the USB blockus, and the exception for Human interface Devices. They have been a great help in the earlier SEP releases for blocking quite literally everything, minus the Mouse, keyboards are still using PS2. :D

Jason1222

To block or not to block... why is it so hard? - Comment:24 Apr 2008 : Link

Gaaaahh!

Still not working. Here is a snipit of the security log:

00000001 00080000 00000000 000000b9 00000000 00000000000000b9 0000000e

000001d1 01c8a0bf3e01edb4 000000ee 00000007 2a01a8c0 00000000 00000000 00000000 00000000 01c8a0bf362049a4 01c8a0bf362049a4 00000001 00000000 Device Manager Message

Plug in the device again or restart to enable the device.

[name]:Generic volume

[class]:Storage volumes

[guid]:71a27cdd-812a-11d0-bec7-08002be2092f

[deviceID]:STORAGE\VOLUME\1&3735C57B&0&LDM#{80864CDC-35BC-4CEC-9C29-EA05D94AE86B}

Jason1222

To block or not to block... why is it so hard? - Comment:24 Apr 2008 : Link

I should probably also mention, that using the same logs and snipits... I can create a rule to disallow mass storage; however by inputting the deviceID as taken from the security logs as indicated in the post above, I can allow certain USB devices to function the way the system has intended for it to work.

Is there something more to it because it's NOT a USB mass storage device but rather an "External Harddrive" recognized as "mass storage" connected to a fibre channel?

ClassID is the same as Mass Storage: "71a27cdd-812a-11d0-bec7-08002be2092f"

Also rules created the same way for:

"PCI\VEN_1217&DEV_7113&SUBSYS_011D1028&REV_20\4&39A85202&0&08F0"

which is a O2Micro OZ711EC1 SmartCardBus Controller Works

"USBSTOR\SFLOPPY&VEN_SONY&PROD_USB-FDU&REV_5.01\6&35D70A3A&0"

which is a SONY USB-FDU USB Device Works also.

... depressing ...

Message Edited by Jason1222 on 04-24-2008 10:31 AM

Paul Murgatroyd Symantec Employee Accredited Certified

To block or not to block... why is it so hard? - Comment:24 Apr 2008 : Link

can you post exactly what you have in your policy now?

you should be able to allow the deviceID and block everything else either based on Class, or using a subset of the Device ID.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

Jason1222

To block or not to block... why is it so hard? - Comment:28 Apr 2008 : Link

Thanks for the assistance Paul,

I will try to get a snippit of the security logs, as right now, I have 2 machines connected to 2 different FrameStores in a "windows" environment. The rest are mounted through an NFS and thus no Symantec for them.

Right now, I cannot have them down for extended periods of time, so I will try to conduct more conclusive testing most likely tomorrow Tuesday.

Because of this, the desktop support staff uninstalled SEP and thus the logs with them. Grrrr. I'll reinstall and go through the process again, I'll include the security logs and rules extracts. Thanks.

Paul Murgatroyd Symantec Employee Accredited Certified

To block or not to block... why is it so hard? - Comment:28 Apr 2008 : Link

no problem.. can you post the DeviceID that the FrameStore adapters seem to be using? I may be able to work it from there...

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

Toast

To block or not to block... why is it so hard? - Comment:29 Apr 2008 : Link

Jason,

/Start_Suckup First answer the Paul's question as Red names tend to have better answers. /End_Suckup

I apologize in advance for asking this stupid question. Is there a chance you entered the device id for the controller and not the mass storage? It should show in the disk drives section of device manager for XP. If this is exactly what you are using, then ignore my question ::jedi mind trick::

While the policy is active, could you also look into the device manager of the client machine and see if the mass storage device part is disabled and not a controller or other needed part of the Frame Store(card, controller, etc)? Check again with the policy disabled. That might give you hints on what is happenning and lead in a different direction.

-Steve

Jason1222

To block or not to block... why is it so hard? - Comment:29 Apr 2008 : Link

Thanks Toast :smileywink:

I know the moderators and Paul from the forums... IMO, Red names = You'll get help soon...

So here it is, Snippits and Screens. Hopefully this time they'll show up right (sorry in advance if you need to click the link)...

Here we have the Machine before I add it to the "blocking group".

http://download.yousendit.com/4B8731E04B2F7470

And here we have the after adding it to the "blocking group", where we can see the "generic volume" being blocked.

http://download.yousendit.com/D167C3A374B97CAE

For you Toaster, the Poperties of the Device Manager

http://download.yousendit.com/8E6009E53A52E0E0

Paul, a snippit of the "Rules", as-is that aren't working, but I am pretty sure I have already removed some custom rules or maybe from "editing" in trial and error.

http://download.yousendit.com/BE9986EF322FE01B

[edit] This part above, the "Rules" you can see the 'ClassID' for Mass Storage is {71a27cdd-812a-11d0-bec7-08002be2092f} which is exactly the same as for the [guid] which can be found below in the snippits of the Framestore being blocked. [/edit]

* * * * * * * * *

And lastly, the seclog snippits. I only took the last 2 entries, which were from moving into the group and as prompted after restarting the machine.

[name]:Generic volume
[class]:Storage volumes
[guid]:71a27cdd-812a-11d0-bec7-08002be2092f
[deviceID]:STORAGE\VOLUME\1&3735C57B&0&LDM#{80864CDC-35BC-4CEC-9C29-EA05D94AE86B} à uß% ¨Û Default [user] [DOMAIN]
000001cf 01c8aa3aa70c75fa 000000ee 00000007 2a01a8c0 00000000 00000000 00000000 00000000 01c8aa3aa044e496 01c8aa3aa044e496 00000001 00000000
Device Manager Message
Plug in the device again or restart to enable the device.

[name]:Generic volume
[class]:Storage volumes
[guid]:71a27cdd-812a-11d0-bec7-08002be2092f
[deviceID]:STORAGE\VOLUME\1&3735C57B&0&LDM#{80864CDC-35BC-4CEC-9C29-EA05D94AE86B} à uß% 0Êè Default [user] [DOMAIN]

The message in the logs says "plug in the device again"... That obviously can't be done, because it's a Framestore and not a USB key, not so easy to move, but I tried removing the Fiber Connections and putting them back, but nothing.

"Restart to ENABLE the device". What's missing in the second part of the snippit, and NOT because I left it out, but rather because it's simply not there is the message saying: "Device Manager Message
The device was enabled successfully."

Thanks.

Message Edited by Jason1222 on 04-29-2008 02:43 PM

Paul Murgatroyd Symantec Employee Accredited Certified

To block or not to block... why is it so hard? - Comment:30 Apr 2008 : Link

thanks Jason, this is very interesting... everything looks right... have you tried using the deviceID's of your fiber cards rather than your framestore? I'm wondering if there is something a bit special about the Generic Volume device....

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

Jason1222

To block or not to block... why is it so hard? - Comment:30 Apr 2008 : Link

It seems to me that that could have been the problem. Unfortunately, I deleted or edited the rules I had created initially. But Yes, to answer your question, I did try to use the DeviceID's for the "ATTO Celerity's" and the

"G-Tech G-SPeed Volumes" in conjunction with the rules to allow the "Generic Storage Volume".

As seen here:

http://download.yousendit.com/4B8731E04B2F7470

But that was to no avail. I have the same scenario presenting itself on a completely separate frame store, connected to a different physical machine, and the same procedure as above, and the same results.

http://download.yousendit.com/411174BF08C79420

I don't think it's specific to the Hardware itself but rather the interpretation of "what the hardware is" from a M$ vs. Symantec point of view.

Quite depressing really.

I'll kick the user out in a few minutes and kidnap the machine in question. I'll recreate the rule for the 2 HHD's and the 2 FC cards. I'll use them in conjunction with the already existing rules and post a snippit if relevant from the security log.

Jason1222

To block or not to block... why is it so hard? - Comment:30 Apr 2008 : Link

P.S.

I'll be using only DeviceID taken from the properties pages in the Dev Man.

Paul Murgatroyd Symantec Employee Accredited Certified

To block or not to block... why is it so hard? - Comment:30 Apr 2008 : Link

it probably wont make any difference, but can you try getting the ID's using our device viewer?

its on CD2, Tools\NoSupport\DevViewer

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

Jason1222

To block or not to block... why is it so hard? - Comment:05 May 2008 : Link

Indeed you are correct there Paul. No change even when using the extracted DeviceID from the app.

Any other ideas?

Thanks.

ShadowsPapa

To block or not to block... why is it so hard? - Comment:08 Oct 2008 : Link

I've been trying for a WEEK and can't make this work right! One time, the Kingston encrypted thumbdrive comes in as a CD, then as a floppy, it's never consistant.

Also, you can't PASTE into the new device class or ID.

I've run this thing on TWO computers and it will not let me paste, I mst type those bloody long strings by hand.

I've tried everything, wildcards, multiple IDs and classes, nothing works consistantly. It might work on one, then if I reboot, it won't work. Or it allows, then won't allow.

Each time you remove and reinsert, it's like a new device

Has anyone actually gotten it to work on multiple computers?

I want to block all thumbdrives, but ALLOW only the kingston secure data traveller.

Kingston encrypted USB "thumbdrive":
[class name]: <Unknown>
[guid]: {4d36e967-e325-11ce-bfc1-08002be10318}
[device id]: USBSTOR\DISK&VEN_KINGSTON&PROD_DTSECURE_PRIVACY&REV_6.51\0F7193711090989C&0
[MFG string]: (Standard disk drives)
[provider]: Microsoft
[driver data]: 6/21/2006
[driver version]: 6.0.6000.16386
[hidden device]: true
[Disabled]: false
[PNP device]: false
[can be disabled]: false
[device node]: 0x52fc

Kingston thumbdrive:
[class name]: <Unknown>
[guid]: {36fc9e60-c465-11cf-8056-444553540000}
[device id]: USB\VID_08EC&PID_204A\0F7193711090989C
[MFG string]: Compatible USB storage device
[provider]: Microsoft
[driver data]: 7/1/2001
[driver version]: 5.1.2600.0
[hidden device]: false
[Disabled]: false
[PNP device]: true
[can be disabled]: true
[device node]: 0x2d28

Kingston thumbdrive:
[class name]: <Unknown>
[guid]: {4d36e965-e325-11ce-bfc1-08002be10318}
[device id]: USBSTOR\CDROM&VEN_KINGSTON&PROD_DTSECURE_PRIVACY&REV_6.51\0F7193711090989C&1
[MFG string]: (Standard CD-ROM drives)
[provider]: Microsoft
[driver data]: 7/1/2001
[driver version]: 5.1.2535.0
[hidden device]: false
[Disabled]: false
[PNP device]: true
[can be disabled]: true
[device node]: 0x2d7c

[class name]: <Unknown>
[guid]: {71a27cdd-812a-11d0-bec7-08002be2092f}
[device id]: STORAGE\REMOVABLEMEDIA\7&B2A3224&0&RM
[MFG string]: Microsoft
[provider]: Microsoft
[driver data]: 7/1/2001
[driver version]: 5.1.2600.0
[hidden device]: false
[Disabled]: false
[PNP device]: true
[can be disabled]: true
[device node]: 0x2838
------------------------------------------------

Olympus DVR USB (dictation device):
[class name]: <Unknown>
[guid]: {4d36e967-e325-11ce-bfc1-08002be10318}
[device id]: USBSTOR\DISK&VEN_OLYMPUS&PROD_DVR&REV_1.00\6&3997D75&0
[MFG string]: (Standard disk drives)
[provider]: Microsoft
[driver data]: 6/21/2006
[driver version]: 6.0.6000.16386
[hidden device]: true
[Disabled]: false
[PNP device]: false
[can be disabled]: false
[device node]: 0x5398

[class name]: <Unknown>
[guid]: {4d36e965-e325-11ce-bfc1-08002be10318}
[device id]: USBSTOR\CDROM&VEN_KINGSTON&PROD_DTSECURE_PRIVACY&REV_6.51\0F7193711090989C&1
[MFG string]: (Standard CD-ROM drives)
[provider]: Microsoft
[driver data]: 7/1/2001
[driver version]: 5.1.2535.0
[hidden device]: true
[Disabled]: false
[PNP device]: false
[can be disabled]: false
[device node]: 0x5b70

Generic thumb-drive:
[class name]: <Unknown>
[guid]: {4d36e967-e325-11ce-bfc1-08002be10318}
[device id]: USBSTOR\DISK&VEN_&PROD_USB_DRIVE&REV_1.13\61460B04082D&0
[MFG string]: (Standard disk drives)
[provider]: Microsoft
[driver data]: 7/1/2001
[driver version]: 5.1.2535.0
[hidden device]: true
[Disabled]: false
[PNP device]: false
[can be disabled]: false
[device node]: 0x5c10

Dictation device:
[class name]: <Unknown>
[guid]: {36fc9e60-c465-11cf-8056-444553540000}
[device id]: USB\VID_07B4&PID_020B\5&1D3171BF&0&2
[MFG string]: Compatible USB storage device
[provider]: Microsoft
[driver data]: 7/1/2001
[driver version]: 5.1.2600.0
[hidden device]: false
[Disabled]: true
[PNP device]: true
[can be disabled]: true
[device node]: 0x345c

And how can you possibly paste - it won't let me.

My sites - http://theamcpages.com & http://antique-engines.com
Shadow: Toy:

To block or not to block... why is it so hard?

Comments 16 Comments • Jump to latest comment

Would you like to reply?

Links