Endpoint Protection

Hello,

I've an USB printer. Actually we block the USB ClassID throug hthe Device Control in SEP and whitelist the printer DeviceID.

IT guys are tired of adding DeviceId for each new printer model...

A Printer class exists.

Question is : what happens if we block the USB classId and whitelist the Printer ClassId ? Does the printer work ?

Tests are difficult to do directly because of users behind (VIP...). If someone already tested this, I'll appreciate your help on the subject.

Thanks in advance,

Regards

Hello,

What version of SEP are you running?

Yes, the printer should work if the printer class ID is under exceptions.

Check these Articles:

How to block USB flash drives while allowing other USB devices.

http://www.symantec.com/docs/TECH104299

How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.

http://www.symantec.com/docs/TECH106304

How to Block or Allow Devices in Symantec Endpoint Protection

http://www.symantec.com/docs/TECH175220

Hope that helps!!

It does work (blocking USB class and excluding printers from blocking), but is inconsistent.

Essentially, for existing installed and working printers you should be fine.  But(!), in the case of new printers (or when you move the printer to a different USB port on a computer) when the printer is plugged in, it will register as a new USB device and get immediately blocked before it can tell windows that its a printer.

Is there any reason you're blocking the entire USB class rather than a more specific target like te DeviceID below:

USBSTOR\*

Hi,

Thank you for posting in Symantec community.

This is important info in this article

A Class ID is a generic category of devices that are designated by the Windows operating system.  A Class ID is always listed as a GUID. 

In SEP, wildcards are not supported on Class IDs.

A Device ID (also known as a Device Instance ID in Windows) is a specific ID that is given to each device.  A Device ID can be more effective for blocking or allowing devices because it is made by concatenating a list of data about the particular device.  Device IDs are generally in a more readable format.

For Device IDs wildcards are supported: * and ?.

So I would also suggest to keep the existing settings as it is.

Always start with Test mode. check the logs then move it to production mode in the app/dev control policy.

Hello,

I understand that UBSB printers will still be blocked if USB class blocked and PRinter class alloed. So If I'm right, no solution excepted whitelisting printers by deviceID.

Global idea is that we want to guarantee that all devices with memory (usb key, external disk...) are blocked. We used also application control to filter "Removable drives" and USBSTOR\*

Problem is that how to be sure that USBSTOR is enough to block all devices with data write possibility ? Are all these devices using this DeviceID prefix ?

I'm a little bit lost with different options we can have 'playing' with ClassId (USB..), DeviceID (USBSTOR), Removable Drives option in Application Control (Symantec cannot tell me what is really inside.. USBSTOR needed to be added for example because some devices was still allowed even if Removable drivers were blocked...).

For example I not really understand why some USB key are whitelisted via USB\VID_xxxPID... rather that USBSTOR...

Any help will be appreciated.

Thanks in advance,

Regards

Hi,

Problem is that how to be sure that USBSTOR is enough to block all devices with data write possibility ?

--> It works when you choose this option. Have you ever seen that even after using this option USB is accessible or making data read/write?

 It is recommended to use Device IDs over Class IDs in most cases.

have you checked this?

How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.

http://www.symantec.com/docs/TECH106304

So solution may be :

Don't block any classe, dont whiteliste any Device and application control on USBSTOR\* to block/read/right permission. => will this block all writable device and allow the others ?

Regarding my usb key referenced ad usb\vid_xxxpid... , will this work too ?

Thx

It really does depend upon your priorities as a company.

If you block USBSTOR* then you won't have any printer problems at all, but you may not block all removable storage devices (i.e. those starting USB\VID_xxxPID)

If you block the USB class (and allow the printer class), then you're pretty much guranteed to block everything, but you will encounter the odd issue here and there (i.e. with new printers and when changing the port to which a printer is connected).

If you wanted to be really thorough, then you could also consider blocking the Storage Volumes and Disk Drives classes (after extensive testing of course).

Like I say, it really depends on if the extra security is worth to extra effort to you.  If data loss is a major priority to your company, then maybe Symantec's DLP product is worth a look-see:

http://www.symantec.com/data-loss-prevention

Yes, you should have proper testing prior to implemenation.

To block al USB devices and allow others you should follow these steps

1. In SEP Manager, open 'Policies'.  Click 'Application and Cevice Control'.
2. Click 'Add an Application and Device Control Policy'
3. Click on the 'Device Control' tab.
3. Under the 'blocked devices' section click the ADD button and select the USB option.
4. Click the ADD button under "Excluded from Blocking" and select, one by one, all of the other devices that use USB that should not be blocked (eg: pointing devices, keyboard, cameras, joysticks, HDD, etc. )
5. Click Ok to save the changes and assign policy.

If you are adding manually usb\vid_xxxpid... under exclusion then yes it should work too.

Hello,

thanks for your help.

Can you explain me why moving a USB device from one USB port to another may have a different behaviour ?

Today we block USB class and whitelist each authorized devices via USB/VID.... deviceID. This works fine but seems that some users don't understand this process... New goal is open all excepted all writable devices. As I can understand, it's not easy ! DLP is not used on workstations and SEE doesn't match our needs... I wonder how other companies do that !

Regards

Hi

Yes the printer should work if it has been put in the excluded list

Regards

HI, 

Follow http://www.symantec.com/docs/TECH106304.

Regards

Ajin

As far as your ealier question goes, moving a device from one USB port to another can sometimes cause windows to treat the device as if it's hasn't seen it before, resulting in the same behaviour as I described in my earlier post.

When you say "New goal is open all excepted all writable devices", does this mean you're looking to use/test the default Application Control rules to "Make all removable drives read-only [AC3]" and "Block writing to USB drives [AC4]"?

If so, then I'd recommend using the AC3 rule, as it appears to be identical to AC4 but also includes the drive type matcihing as well as the Device ID matching.