Endpoint Protection

I have an environment where the End Users have Access to Create unlimited VMware Machines on their Base Host machines. We have SEP installed on all the Host Machines with USB blocking enabled.However when the VMwares are created in these Host Machines the users are Able to Access the USB drives from within the VMwares.This is an Information Security (Data Loss) Nightmare. Is there a way to block the USB Access through the VMware using the SEP installed in the Host Machine. Please suggest if any. Else are there alternate (3rd Party) ways to achieve this ?

Please Note: We cannot install SEP on all the VMwares that are getting created everyday.

How are you currently blocking for the host, by device ID? This may change when is connects to the VM as it uses the virtual USB driver so you may need to set up two different blocks in the policy, one for host and one for virtual USB.

Thanks for the prompt reply Brian!!  :)

I am using the general USB Block All Rule using Device Control and have setup exlusions for Human Interface Devices only.

How can I setup a specific rule to block the functionality of the Virtual USB Driver ? Can u please shed some light on the same.

Copy DevViewer into your VM and run it to find the device ID of the USB.

DevViewer - a tool for finding hardware device ID for Device Blocking in Symantec Endpoint Protection

Than you can add the device ID to the policy to block

This can be the perfect solution, provided the Device ID remains the same everytime a VMware is created and a VMware USB driver is triggered by a USB device But Will It Be the Same ?  :)

I have close to 800 users under a Specific Client Process who create 2 to 3 Vmware Machines a day that's ~2000 events in a single day. Can you suggest a solution for a setup like this :) 

So each virtual USB adapter has a different device ID?

Is there a way to block the USB Access through the VMware using the SEP installed in the Host Machine

- Generally the SEP is designed for taking care after the host OS itself and not "OS under OS" - your target may not be achievable this way as probably (as I can imagine) Virtual Environent on each new Guest VM will create a new USB host access with different Device ID of GUID.

- Did you consider blocking the USB ports completely on tehe host machine with use of the GPOs?

 - Other way could be a limitation for the guest machines users can create in that environment - possibly restricting them to only be able to create new machines based on the given template (that would have already SEP preinstalled with USB block policy).

Hi

Actually you can do something by blocking VMWare USB Device in SEP (see below pic)

but the problem is SEP does not block this device properly. If you keep playing with removing and attaching the usb device eventually you can access usb in the VM!!!!