Video Screencast Help

Disable usb devices with some exclusions (printers, scanners, usb keyboards and mice only)

Created: 31 Oct 2013 | 4 comments
L K's picture

Hi Everyone!!!!!
I have some problems with my Application and Device Control policy. I need to disable any USB devices so nobody can move any files using them. I've already have a USBSTOR disabling policy, but also want to disable any phones and cameras.
 Hope you'll help me.

existing policy:

Blocked Devices

Device Name

Identification

USBSTORE   

Device:         USBSTOR\*

Devices Excluded From Blocking

Human Interface Devices (Mice, Joysticks, Gamepads, and System controls)

Class:         {745a17a0-74d3-11d0-b6fe-00a0c90f57da}

Printing Devices               

Class:         {4d36e979-e325-11ce-bfc1-08002be10318}

Operating Systems:

Comments 4 CommentsJump to latest comment

Rafeeq's picture

check this

Smart phones and Application and Device Control in Symantec Endpoint Protection 11.0

http://www.symantec.com/docs/TECH147791

Your policy blocks all the USBs and allows human interface devices only. This should block any other USB devices gettign connected. Its not working ??

L K's picture

My policy blocks all USB Mass Storages not all USB's.

Actually I can block all USB's but then scanners are also blocked.

When I add an exclusion
Imaging Devices (Scanners, Digital Cameras, etc)    Class:         {6bdd1fc6-810f-11d0-bec7-08002be2092f}

automaticallly smartphones aren't blocked.

 

Rafeeq's picture

As a test  have you tried bocking the device using the device id

Use the tool DevViewer (found in the folder TOOLS\NOSUPPORT\DEVVIEWER on CD2 of SEP) to get the device id for the device 

Add the device id to the list of Hardware Devices under Policies -> Policy Components. Then Create a Application and Device policy and add the device under Device Control.

SEP doesnt seem to include a class id for smart phones amongs its default policy components. However i have just found the following class id on MSDN which is for Windows Portable Devices (WPD) : eec5ad98-8080-425f-922a-dabf3de3f69a

L K's picture

Finally i decided to block all USB's


Blocked Devices  
Device Name Identification
USB Class:         {36fc9e60-c465-11cf-8056-444553540000}

and as i had only a little variety of scanners, make this exclusions,


Devices Excluded From Blocking  
Human Interface Devices (Mice, Joysticks, Gamepads, and System controls) Class:         {745a17a0-74d3-11d0-b6fe-00a0c90f57da}
Printing Devices Class:         {4d36e979-e325-11ce-bfc1-08002be10318}
CanoScan Lide 110 Device:         USB\VID_04A9&PID_1909\*
Canon MF4010 Series Device:         USB\VID_04A9&PID_26B4&MI_00\*
Canon MF4400 Series (the same as MF 4410) Device:         USB\VID_04A9&PID_2737&MI_00\*
Canon MF4320-4350 Device:         USB\VID_04A9&PID_26EE&MI_00\*
USBPRINT Device:         USBPRINT\*

but now i have another problems in couple of computers applied this policy, it disables all Generic USB Hubs:

"Device Manager Message The device was disabled successfully.   [name]:Generic USB Hub   [class]:Universal Serial Bus controllers   [guid]:36fc9e60-c465-11cf-8056-444553540000   [deviceID]:USB\VID_8087&PID_0024\5&355C47BA&0&1"
 

it is normal according to the policy above, but i have printers connected to that computers which are becoming offline.

And by the way, when I replace this policy to another , which isn't blocking USB's, tick "Use printer online" , and again back to my "Blocking USB" policy, everything works fine, till the next same event.

Please help me to find out the principle of disabling Generic USB Hubs and why exclusions aren't work at that time.