Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Blocking USB Storage devices

Created: 05 Oct 2012 • Updated: 15 Nov 2012 | 23 comments
This issue has been solved. See solution.

Hi

I am using SEPM version 11.0.6 and I have like 40 managed computers from Windows XP to Windows 7. I would like to create a separate group where If users try to plug in their USB storage devices like Memory Sticks,BB phones,Ipods etc into their systems they cannot access them or see them. I only want these devices blocked. They can use their USB mouse,keyboard and printers. How can I do this in SEPM? Any help would be appreciated.

Thanks

Carolin

Comments 23 CommentsJump to latest comment

.Brian's picture

How to use Application and Device Control to block all USB devices except those I specifically want to allow

http://www.symantec.com/business/support/index?page=content&id=TECH105770&actp=search&viewlocale=en_US&searchid=1334609914324

How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.

http://www.symantec.com/business/support/index?page=content&id=TECH106304

How to Block or Allow Devices in Symantec Endpoint Protection

http://www.symantec.com/business/support/index?page=content&id=TECH175220

Application and Device Control whitepaper

http://www.symantec.com/avcenter/security/ADC/Configuring_Application_Control_1.1.pdf

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

John Santana's picture

Hi Brian,

By following the instructions above, in order to whitelist (allow) then you need to manually get the USB drive type and model ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

pete_4u2002's picture

devviewer tool will help to get the list of device id. yes, it is manual process.

John Santana's picture

Many thanks Pete for your repsonse :-)

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Mithun Sanghavi's picture

Hello,

Here are the Steps to block the USB Drives -

1. First you have start and logon to “Symantec Endpoint Protection Manager”

2. In the main windows | tool bar select: “Policies” | Hardware Devices | right click and ADD

3. In Device Name write “USB Storage” and Device ID “USBSTOR*.*” | OK 

4. Then click inside “Application and Device Control” in the main menu and then right click inside “Application and Device Control” and Edit. 

5. Device Control | Blocked Devices and click Add

6. Select “USB Storage” and click OK

7. Active Notification: Mark: “Notify users when deviced is blocked”, click “Specify Message Text” ) | add messange | OK (c) and click OK.

8. To assign to the policy just click in “ASSIGN”

9. Select the group to be applied and click “Assign”

10. Done the policy will updated to all workstation member of this group.

Check these Articles:

How to Block or Allow Devices in Symantec Endpoint Protection

http://www.symantec.com/docs/TECH175220

How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.

http://www.symantec.com/docs/TECH106304

How to block USB Keys with SEP

http://www.symantec.com/docs/TECH106361

Also, Check these Threads:

https://www-secure.symantec.com/connect/forums/how-block-usb-using-sepm-windows-7

https://www-secure.symantec.com/connect/forums/usb-device-control-2

https://www-secure.symantec.com/connect/forums/sepm-121-application-and-device-control

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

greg12's picture

Hi Carolin,

just as an addition to the previous posts: In SEP 11, Application and Device control, which is responsible for blocking USB devices, only runs on computers with 32-bit OS. E.g., if your Windows 7 computers are 64-bit, it won't work. In this case you have to update to SEP 12.1 (this is a good idea anyway).

Here is another whitepaper for Application and Device Control:

http://www.symantec.com/connect/sites/default/files/Application%20and%20Device%20Control_V1%202_4_0.pdf

HTH!

Ashish-Sharma's picture

HI,

How to block or allow device's in Symantec Endpoint Protection

http://www.symantec.com/connect/articles/how-block-or-allow-devices-symantec-endpoint-protection

https://www-secure.symantec.com/connect/downloads/sep-policy-block-usb-and-exclude-keyboard-and-mouse

How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.

http://www.symantec.com/business/support/index?page=content&id=TECH106304

Thanks In Advance

Ashish Sharma

carolin's picture

Hi guys,

This is not working. Any ideas how to troubleshoot this issue?

Thanks

carolin's picture

Hi

Seems as though the blocking of the USB pen drives and BB phones is working perfect for the Windows 7 32 bit computers. However it is not working for windows XP 32 bit and windows 7 64 bit computers. Any ideas would be appreciated.

Thanks

.Brian's picture

Do they have latest policy?

Are they in a different group from the ones that are working?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Chetan Savade's picture

Hi,

Application and device control policy doesn't work on 64bit OS, you need SEP 12.1.

Symantec Endpoint Protection 11.0 compatibility with 64-bit platform

http://www.symantec.com/business/support/index?pag...

So in your case will have to check why it's not working on windows XP 32 bit only?

Check the policy serial number and also make sure same SEP features are installed on Windows xp machine compared to Windows 7 machines

I would also suggest to upgrade to the SEP 12.1 RU1 version.

You can directly upgrade from SEP 11.6 to SEP 12.1 RU1.It's a free upgrade.

Why upgrade is important?

Few differences between SEP 11.x and SEP 12.1 EE

https://www-secure.symantec.com/connect/articles/f...

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

carolin's picture

thanks. How do I check the policy serial number? The same SEP features are installed on both Windows XP 32 bit and Windows 7 32bit.

Chetan Savade's picture

Hi,

Screenshot is attached to the reference.Screenshot is taken from SEPM 11.x.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

carolin's picture

The client has the same policy serial number as the group they are assigned to.

John Santana's picture

Hi CHetan, how can we change the policy serial number ?

in one of the server environment, I saw that the policy is the same as my desktop and I don't want it to be treated like desktop.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Chetan Savade's picture

Hi,

You should move them to the respective group.

Clients will take the policys which is assigned to their respective group.

If they are not taking assigned policy then further troubleshooting is required.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

carolin's picture

Hi guys,

Really need some help with this urgently.

Thanks

Chetan Savade's picture

Hi,

Further troubleshooting can be done with the help of Sep Support tool logs.

Gather SEP Support Tool with WPP logging

How to enable Automatic Symantec Endpoint Protection (SEP) 12.1 Client Debugging, including WPP logs

http://www.symantec.com/docs/TECH171176

This issue is occurring on all Windows XP 32 bit machines? not on random machines?

Collect Sep support tool from affected clients machines. Collect it from at least 2 machines.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Ashish-Sharma's picture

HI,

Application and device control policy doesn't work on 64bit OS, you need SEP 12.1.

Symantec Endpoint Protection 11.0 compatibility with 64-bit platform

http://www.symantec.com/business/support/index?pag...

In Windows xp try to Create new SEPM group Apply ADC policy and export new package and install one sep client.

Check policy blocked aur not ?

Thanks In Advance

Ashish Sharma

Chetan Savade's picture

Hi,

As I said earlier Application and device control policy won't work on 64bit machines.

Check this article to know more about it

Symantec Endpoint Protection 11.0 compatibility with 64-bit platform

http://www.symantec.com/business/support/index?pag...

If you are interested to upgrade then please go through the following article

SEP 11.x to SEP 12.1 Upgrade process graphical overview

http://bit.ly/sDogRu

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

SOLUTION
John Santana's picture

Thanks for the update Chetan !

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.