Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

is this possible - device control area....

Created: 02 Oct 2008 • Updated: 21 May 2010 | 4 comments

to block certain USB "drives" but allow others?

Reason asking - we need to ALLOW certain USB dictation recorders - when they are docked, Windows sees them as a removable drive due to the card in them where the dictation is recorded to and stored.

HOWEVER, we want to block certain other USB or removable drives.

And can we allow only certain thumbdrives, but block others?

Say we have encrypted thumbdrives that are state-owned, but want to block any OTHER thumbdrives, like those they'd bring from home???

 

Thanks!

Comments 4 CommentsJump to latest comment

David-Z's picture

Yes,

 

To accomplish this you will first need to acquire the Device ID of the USB drive you would like to specify in the policy.

 

To obtain a device ID from Control Panel

1 On the Windows taskbar, click Start > Settings > Control Panel > System.

2 On the Hardware tab, click Device Manager.

3 In the Device Manager list, double-click the device.

4 In the device's Properties dialog box, on the Details tab, select the Device ID.

By default, the Device ID is the first value displayed.

5 Press Control+C to copy the ID string.

6 Click OK or Cancel.

 

Next you need to add the device ID to the SEPM:

 

1  In the SEP Manager window, select Policies. 

2  Expand Policy Components and left-click on Hardware Devices.

3  Drop down to Tasks and select "Add a Hardware Device..."

4  A pop-up will require a Device Name and a Device ID

5  Still in Policies, Select Application and Device Control.

6  In the right pane of the Application and Device Control window, right-click Application and Device Control policy, left-click on Edit...

7  In the upper-left quadrant of this window select Device Control.

8  In the right-hand panel go to Devices Excluded from Blocking/Blocked Devices, click Add...

9  In the Add Hardware Devices window, browse to the device you added in Step 4 and click OK.

 

Hope that helps!

David Z.

Senior Principal Technical Support Engineer, Symantec Corporation

Enterprise Security, Mobility and Management

ShadowsPapa's picture

OK, we're half-way there - thanks - but what are "thumb-drives" considered?

I can't block ALL USB devices, but want to block thumb-drives.

OR, must I block ALL USB devices, then allow the certain brand thumbdrive and dictation device we want?

 

Would a thumbdrive (flash-drive, memory stick, whatever you want to call it) be a USB, or a Storage Volume or what?

When I go to application and device control policy, then device control, then blocked devices, then choose Add, I see a list. Not sure - want it to be simple, don't want to block ALL USB, then have to add in a dozen devices we want to allow. I'd rather block a certain class of devices, thumbdrives, then allow the one thumbdrive brand we will allow.

What's the easiest way to get there?

 

EduFon®'s picture

Hi, i need block only a certain types of files.  Really i need block all files in a pen drive and only allow execute office extentions, like .doc, .docx.

 

I prove with * for all, and configure exeptions like *.doc, *.xls and don't work.

Only can't execute .exe files.  Others i have no problem if i don´t have any block policy.

 

Thanks.

 

Eduardo Fontana.

Bs As - Argentina

ShadowsPapa's picture

I've tried everything, I just can't get this to work every time on every computer. It may block a thumbdrive, then restart, it won't. It will allow the kingston encrypted drive, then will block it!

the notice will show, or it won't show.

And you can't past an class or ID in the manager, there's no options for that, and a right click does nothing at all. You must manually type all this. It takes hours, and still can't get consistant results.

 

We want to block all usb thumb drives, but ALLOW the olympus dictation device and the kingston thumbdrive. The olympus is a USB dictation machine, and appears as a storage device or drive and windows gives it a drive letter. The kingston is a thumbdrive but the E drive appears as a CD drive, then autoplay launches an app so you can access the real USB drive.

 

Kingston encrypted USB "thumbdrive":

[class name]: <Unknown>

[guid]: {4d36e967-e325-11ce-bfc1-08002be10318}

[device id]: USBSTOR\DISK&VEN_KINGSTON&PROD_DTSECURE_PRIVACY&REV_6.51\0F7193711090989C&0

[MFG string]: (Standard disk drives)

[provider]: Microsoft

[driver data]: 6/21/2006

[driver version]: 6.0.6000.16386

[hidden device]: true

[Disabled]: false

[PNP device]: false

[can be disabled]: false

[device node]: 0x52fc

 

Kingston thumbdrive:

[class name]: <Unknown>

[guid]: {36fc9e60-c465-11cf-8056-444553540000}

[device id]: USB\VID_08EC&PID_204A\0F7193711090989C

[MFG string]: Compatible USB storage device

[provider]: Microsoft

[driver data]: 7/1/2001

[driver version]: 5.1.2600.0

[hidden device]: false

[Disabled]: false

[PNP device]: true

[can be disabled]: true

[device node]: 0x2d28

 

Kingston thumbdrive:

[class name]: <Unknown>

[guid]: {4d36e965-e325-11ce-bfc1-08002be10318}

[device id]: USBSTOR\CDROM&VEN_KINGSTON&PROD_DTSECURE_PRIVACY&REV_6.51\0F7193711090989C&1

[MFG string]: (Standard CD-ROM drives)

[provider]: Microsoft

[driver data]: 7/1/2001

[driver version]: 5.1.2535.0

[hidden device]: false

[Disabled]: false

[PNP device]: true

[can be disabled]: true

[device node]: 0x2d7c

[class name]: <Unknown>

[guid]: {71a27cdd-812a-11d0-bec7-08002be2092f}

[device id]: STORAGE\REMOVABLEMEDIA\7&B2A3224&0&RM

[MFG string]: Microsoft

[provider]: Microsoft

[driver data]: 7/1/2001

[driver version]: 5.1.2600.0

[hidden device]: false

[Disabled]: false

[PNP device]: true

[can be disabled]: true

[device node]: 0x2838

------------------------------------------------

Olympus DVR USB (dictation device):

[class name]: <Unknown>

[guid]: {4d36e967-e325-11ce-bfc1-08002be10318}

[device id]: USBSTOR\DISK&VEN_OLYMPUS&PROD_DVR&REV_1.00\6&3997D75&0

[MFG string]: (Standard disk drives)

[provider]: Microsoft

[driver data]: 6/21/2006

[driver version]: 6.0.6000.16386

[hidden device]: true

[Disabled]: false

[PNP device]: false

[can be disabled]: false

[device node]: 0x5398

[class name]: <Unknown>

[guid]: {4d36e965-e325-11ce-bfc1-08002be10318}

[device id]: USBSTOR\CDROM&VEN_KINGSTON&PROD_DTSECURE_PRIVACY&REV_6.51\0F7193711090989C&1

[MFG string]: (Standard CD-ROM drives)

[provider]: Microsoft

[driver data]: 7/1/2001

[driver version]: 5.1.2535.0

[hidden device]: true

[Disabled]: false

[PNP device]: false

[can be disabled]: false

[device node]: 0x5b70

Generic thumb-drive:

[class name]: <Unknown>

[guid]: {4d36e967-e325-11ce-bfc1-08002be10318}

[device id]: USBSTOR\DISK&VEN_&PROD_USB_DRIVE&REV_1.13\61460B04082D&0

[MFG string]: (Standard disk drives)

[provider]: Microsoft

[driver data]: 7/1/2001

[driver version]: 5.1.2535.0

[hidden device]: true

[Disabled]: false

[PNP device]: false

[can be disabled]: false

[device node]: 0x5c10

Dictation device:

[class name]: <Unknown>

[guid]: {36fc9e60-c465-11cf-8056-444553540000}

[device id]: USB\VID_07B4&PID_020B\5&1D3171BF&0&2

[MFG string]: Compatible USB storage device

[provider]: Microsoft

[driver data]: 7/1/2001

[driver version]: 5.1.2600.0

[hidden device]: false

[Disabled]: true

[PNP device]: true

[can be disabled]: true

[device node]: 0x345c