Video Screencast Help

Blocking users from copying files to USB devices

Created: 13 May 2010 | 6 comments

I would like to know the procedure to prevent users from copying data to USB devices through Symantec DLP solution. I tried creating a response rule but DLP doesnt block or flag it as an incident.


Comments 6 CommentsJump to latest comment

jjesse's picture

Do you have licenses for DLP Endpoint PRevent and is it installed?  Have you setup DLP Endpoint to monitor removable media?  Are the usb devices showing up as Removable Media or as an additional hard drive?

Jonathan Jesse Practice Principal ITS Partners

Anamika's picture

Yes I can see the DLP incidents for data copied to CD or USB devices. Instead of being able to detect such incidents I would like to prevent users from copying the data. I have created a policy where rule is set to match key words and in the respose rule I have set the protocol as Removable devices.
When I try to add Endpoint Prevent-Block to an exisiting policy i get the below error message-

"Marked EDM, IDM, and/or DGM rules will not trigger Endpoint Prevent: Block and Endpoint Prevent: Notify response rules. For the policy to exhibit correct behavior, you may either modify the marked detection rule(s) or the marked response rule(s)."

Naor Penso's picture

By design,
Symantec DLP would not block IDM or EDM policies assigned to an endpoint computer, because the fact is that if an endpoint would need to store IDM/EDM profiles than the client would consume a lot of memory.
Try creating a policy without using an IDM/EDM profile and using just keywords (also known as DCM).
Than assign an Endpoint - Prevent response to the policy and you will be able to block the transfer on the endpoint.
Kind Regards,
Naor Penso.

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)

jjesse's picture

would be create a policy that violates via DCM and via an EDM or IDM for the endpoint, that way your policy will work on the DIM and DAR side of things as well as the endpoint.

Jonathan Jesse Practice Principal ITS Partners

Muhammad Ishaq Khan's picture

create a policy in which you only add endpoint protocol (USB), and also add a response rule which block and popup message to end user. it will work.

Best Regards,                                     &nbsp

x.thomas's picture

Noar's point is correct. To do BLOCKING at the end-point, this can only be done by Described Content matching.( DCM)

The cost assigned to EDM, IDM or DGM is too high to apply these methods to the end point. The cost for DCM is low, it uses keywords and won't overload the endpoint plus it's faster anyway.


Cherian Thomas

Info.Security Cnslt