Endpoint Protection

Hey Everyone,

Need a bit of help.

We are having a strange issue were I am setting up device control for removable devices.

I have setup the policy and applied it to my laptop and it works perfectly blocking removabe devices.
When I apply the policy to HP Workstations the machines HDD gets blocked and the PC BSOD. After that I need to go to Safe mode and re apply the old policy.

I used the devtool on CD 2 to look for the device ID and add it into Symantec. The only problem is every PC has a different device ID and we have different models of the HP mainly the xw4400.

I don't really want to exlude the device ID of every hdd in our office.

I have one policy that blocks a few applications and also blocks devices.
Disk Drives
Floppy

I have also enabled the rule to only filter removable drives.

Below is an example of the OS HDD EndPoint is blocking:
[class name]: <Unknown>
[guid]: {4d36e967-e325-11ce-bfc1-08002be10318}
[device id]: IDE\DISKST380815AS______________________________3.CHF___\52393758584A574D202020202020202020202020
[MFG string]: (標準ディスク ドライブ)
[provider]: Microsoft
[driver data]: 2001/07/01
[driver version]: 5.1.2535.0
[hidden device]: false
[Disabled]: false
[PNP device]: true
[can be disabled]: true
[device node]: 0xf8c
 

Also if I exclude based on Class ID it will allow all hard drives and even my thumb drive has the same class ID e.g.

{4d36e967-e325-11ce-bfc1-08002be10318}

I need to allow the hard drives on the HP workstations but block USB thumb drives...

I can't block USB either as I need to be able to use bar code readers, and windows mobiles phone with active sync.

I think the main problem might be is with the HP Workstation there hard drives come up with

[can be disabled]: true

When I use dev view and look at the hard drive on my laptop that the policy works on I get this:

[class name]: <Unknown>
[guid]: {4d36e967-e325-11ce-bfc1-08002be10318}
[device id]: IDE\DISKTOSHIBA_MK6025GAS_______________________KA200A__\5&2288DCF3&0&0.0.0
[MFG string]: (Standard disk drives)
[provider]: Microsoft
[driver data]: 7/1/2001
[driver version]: 5.1.2535.0
[hidden device]: false
[Disabled]: false
[PNP device]: true
[can be disabled]: false
[device node]: 0xfcc

Why would a hard drive hosting a operating system come up with that? If you could provide any help it would be greatly appreciated.

Thanks!

Have you tried this document...

How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/b54beb2f46268ccc882574e80052960f?OpenDocument

Can you let us know the version of SEP & the OS of the machines that give you a BSOD

Start using our DevViewer utility on CD2, you can see device ID's and Class ID's from that.  For more information on Device ID's see here: http://msdn.microsoft.com/en-us/library/ms791083.aspx
Suffice to say, you can use wildcards in the device ID to match based on device type, manufacturer, etc.For instance on my machine, I have a USB device (Apple iPhone) which is recognised as:

\USB\Vid_05ac&Pid_1292\9f5bce6ec6831ba6c2520874ebca5f1ce17ac5c6

If you wanted to block that single device I could use the above string.
If you wanted to block all Apple iPhones, I could use the following:
USB\Vid_05ac&Pid_1292\*
If you wanted to block all Apple USB devices, I could use this:
USB\Vid_05ac*
If you wanted to block all Apple devices, I could try this:

\*\Vid_05ac*

In the above example,
Vid_05ac - Vendor ID 05ac - Apple

Pid_1292 - Product ID
ref:Device Control USB device ID guidelines

You can use the link suggested by Rafeeq for doing this....

 

All the PCs are Windows XP with SP3. SEP 11 with MR4

Excellent! I will give the wildcards ago and try filtering those HDD out by doing this IDE\DISKST3250620AS*

I will keep you posted.

If the problem got solved by using wildcards pls mark my post as solution.