Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

block USB but allow specific device like USB scanner

Created: 03 Jul 2013 • Updated: 03 Jul 2013 | 8 comments
abhi1983's picture

I have a requiremnt where i have to

 block USB but allow all  device like USB scanner , USB Printers ,phones etc ...

Its impossible to list all the device IDs for all the users for these scanners printers ...

How can this be achieved .

 

 

 

 

 

Operating Systems:

Comments 8 CommentsJump to latest comment

.Brian's picture

Using Device ID is the only way

How to block USB flash drives while allowing other USB devices.

Article:TECH104299  |  Created: 2008-01-28  |  Updated: 2012-02-21  |  Article URL http://www.symantec.com/docs/TECH104299

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

 

few more links

How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.

http://bit.ly/uTVdha

How to block USB flash drives while allowing other USB devices.

http://www.symantec.com/docs/TECH104299

How to block USB devices while excluding mouse and keyboard?

http://www.symantec.com/docs/TECH161779

 

abhi1983's picture

not useful.... i want to know is there someway where we can block or allow all usb scanners /camera..... or all usb printer .... etc ....

 

i dont want to go by device id ...as tht needs a lot of operational overhead ...

AjinBabu's picture

HI, 

I dont think with out class ID or device ID you can block / allow a device.

the hardware devices list

Symantec Endpoint Protection Manager includes a hardware devices list. Some devices are included in the list by default. You use the devices when you configure device control.

You can add devices to the list. You cannot edit or delete any default devices.

Devices are identified by a device ID or class ID. You use either of these values to add a device to the list.

class ID

The class ID refers to the Windows GUID. Each device type has both a Class and a ClassGuid associated with it. The ClassGuid is a hexadecimal value with the following format:

{00000000-0000-0000-0000-000000000000}

device ID

A device ID is the most specific ID for a device. The syntax of a device ID includes some descriptive strings that make it easier to read than the class ID.

When you add a device ID, you can use a device's specific ID. Alternately, you can use a wildcard character in the device ID string to indicate a less specific group of devices. You can use an asterisk (*) to indicate zero or more additional characters or a question mark (?) to indicate a single character of any value.

The following is a device ID for a specific USB Sandisk device:

USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_MICRO&REV_2033\0002071406&0

The following is a device ID with a wildcard that indicates any USB Sandisk device:

USBSTOR\DISK&VEN_SANDISK*

The following is a device ID with a wildcard that indicates any USB disk device:

USBSTOR\DISK*

The following is a device ID with a wildcard that indicates any USB storage device:

USBSTOR*

Obtaining a class ID or device ID
 
You can use the Symantec DevViewer tool to obtain either the class ID (GUID) or the device ID. You can use Windows Device Manager to obtain the device ID.
 
After you obtain a device ID, you can modify it with a wildcard character to indicate a less specific group of devices.
 
To obtain a class ID or device ID by using the DevViewer tool
On your product disc, locate the \TOOLS\NOSUPPORT\DEVVIEWER folder, and then download the DevViewer.exe tool to the client computer.
On the client computer, run DevViewer.exe.
Expand the Device Tree and locate the device for which you want the device ID or the GUID.
For example, expand DVD-ROM drives and select the device within that category.
 
In the right-hand pane, right-click the device ID (which begins with [device ID]), and then click Copy Device ID.
Click Exit.
On the management server, paste the device ID into the list of hardware devices.
To obtain a device ID from Control Panel
On the Windows taskbar, click Start > Settings > Control Panel > System.
On the Hardware tab, click Device Manager.
In the Device Manager list, double-click the device.
In the device's Properties dialog box, on the Details tab, select the Device ID.
By default, the Device ID is the first value displayed.
 
Press Control+C to copy the ID string.
Click OK or Cancel.
 
Regards
Ajin
 
 
abhi1983's picture

LIke to block all disk we can use

USBSTOR\DISK*

 

Is there any string which we can use to block all USB Camera and scanners

same for USB data card ... and so on ....

 

 

Chetan Savade's picture

Hi,

Thank you for posting in Symantec community.

Application Control can only block devices that are seen by Windows as disk drives and have drive letters associated with them.  Devices that do not add drive letters (such as an iPhone or iPad) will need to be blocked using Device Control.

Chekc if these articles help:

About the hardware devices list
 
 
How to block USB flash drives while allowing other USB devices
 
 
How to Block or Allow Devices in Symantec Endpoint Protection
 
 

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Mithun Sanghavi's picture

Hello,

Check these Articles:

How to block USB flash drives while allowing other USB devices.

http://www.symantec.com/docs/TECH104299

How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.

http://www.symantec.com/docs/TECH106304

How to Block or Allow Devices in Symantec Endpoint Protection

http://www.symantec.com/docs/TECH175220

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.