Endpoint Protection

 View Only

  • 1.  Device Control Blocks Allowed USB drive, but log says that device was allowed

    Posted Nov 18, 2015 12:11 PM

    Good Morning,

    We have set up device control rules using Symantec Endpoint Protection Manager 12.1.5. The AV Client version is 12.1.5337.5000.

    We block all USB drives except a few whitelisted ones. I have recently added a few new drives to the list and encountered unexpected behaviour. When the user plugs in the drive, they get a message saying that the drive has been blocked, but when I look at the device control log, the log states that the device was allowed. The drive does not show up in Windows Explorer.

    How can I get the USB drive to be allowed on the client computer(s)?

    Thanks,



  • 2.  RE: Device Control Blocks Allowed USB drive, but log says that device was allowed

    Posted Nov 18, 2015 02:39 PM

    is the new policy configured and applied correctly to the client group ? can you please post a screenshot of the policy ?



  • 3.  RE: Device Control Blocks Allowed USB drive, but log says that device was allowed

    Posted Nov 18, 2015 02:48 PM

    This is an old policy that I have edited to add a few more flash drives, but I have confirmed that the policy is applied to the correct group.

    I have attached a screenshot of the Policy.

     



  • 4.  RE: Device Control Blocks Allowed USB drive, but log says that device was allowed

    Posted Nov 18, 2015 02:54 PM

    Was this working prior to adding the new USBs? What if you create a new policy, with your new exceptions and add it to the group.



  • 5.  RE: Device Control Blocks Allowed USB drive, but log says that device was allowed

    Posted Nov 18, 2015 03:19 PM

    It was working before. I have created a new policy and will let you know if it works better.



  • 6.  RE: Device Control Blocks Allowed USB drive, but log says that device was allowed

    Posted Nov 18, 2015 03:44 PM

    The new policy has the same issue. 



  • 7.  RE: Device Control Blocks Allowed USB drive, but log says that device was allowed

    Trusted Advisor
    Posted Nov 19, 2015 06:54 AM

    When white listing the device names are you putting in the full device ID? or are you using the first part of the device ID with a wild card to make that specific type of USB device work? If you are using the full device ID is the user using the same USB stick you got the device ID off? As if it's a different USB stick it will have it's own unique device ID if you haven't wild carded the end part. 



  • 8.  RE: Device Control Blocks Allowed USB drive, but log says that device was allowed
    Best Answer

    Posted Nov 19, 2015 10:24 AM

    The problem was that Symantec had disabled the drive in the device manager, and when I added the access Symantec did not re-enable them. Manually enabling the drive resolved the issue.