Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

SEP11 Application & Device Control problem: USB set to Read Only w/ Write exemptions DOES NOT WORK

Created: 04 Mar 2011 | 10 comments

Hi there.

This is causing me a major headache. I have a call logged with Symantec and they are not getting very far with this either (ref. 414112147). I have 1500 clients that urgently require this functionality.

- USB devices must be set to read only.

- With certain devices exceptions set to allow write using the VID/PID combination with wildcards.

It's really that simple.

I am aware of how to edit the Hardware Devices though Policy Components. I am using DevViewer to take the following and amend with the wildcard (yes I have tried without the wildcard also):

USB\VID_090C&PID_1000\*

I am also aware that the App & Dev Control component must be installed on the endpoint client - it is. It is also 32bit Win XP SP3 (so fully compatible).

When editing the default "Make all removable drives read-only" rule in the Application Control element of the policy (all I need to do is add my exclusion to the "Do not apply to the following files and folders" rule section under the "Block writing to all files and folders" condition), the device is not exempted. Write access is blocked along with all other non-exempted devices which contradicts what I have set.

I am able to make this work with the Device Control section of the policy. But I do not have options here to make the devices read only, only block all USB which I do not want to do.

Different devices with different PID/PID combinations have the same effect. My VID/PIDs are correct.

I can see the policy serial number in SEPM and the endpoint (they match).

Versions are SEPM 11.0.6005.562 / endpoint 11.0.6200.754 (so the endpoint is more up to date).

Can anybody assist?

Comments 10 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello Rafeeq,

I believe you wanted to pinpoint on the Symantec KB articles as below:

How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.

http://www.symantec.com/business/support/index?page=content&id=TECH138570&actp=search&viewlocale=en_US&searchid=1299258802261

How to make USB drives read-only with Symantec Endpoint Protection using Application and Device Control

http://www.symantec.com/business/support/index?page=content&id=TECH95813&actp=search&viewlocale=en_US&searchid=1299258802261

 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Kurt G.'s picture

You also need to ensure that you have PTP and NTP installed.

You can attach a copy of your testing policy to this thread and we can take a look to see if there are any discrepencies.

Kurt G.
Symantec Technical Specialist: Endpoint Security Advanced Team

Symantec Corporation www.symantec.com

Symantec Enterprise Support: (800) 342 0652 

mancalledSun's picture

@KurtG

The only element of SEP that is not installed on the endpoint is AV Email Protection.  Both NTP and PTP are installed along with the App and Dev Control feature.  So this is not my issue.

@Mithun

TECH95813 only mentions making devices Read Only.  It does not discuss adding exampt devices.

TECH138570 is more promising as section E) describes EXACTLY what I want to do and also what I have done.  It does not work.

I will attach a copy of the policy soon but it is no different to what section E) mentions above.

Symantec have just advised me that:

"As deny always take precedence over allow the policy will not work. In order to achieve the goal we have to take a different approach of implementation/configuration of SEP client."

So it is not possible to configure this.  Instead I have been told to re-implement SEP in user mode and when users require write access to USB sticks move them into an "admin" group that allows them full access!  I certainly won't be following this advice any time soon as it sounds like a administration nightmare.

BUT...

If deny takes precendence over allow, then why does it work when I set up the policy in Device Control mode to block all but allow some (which is no good, remember I want to make devices read only not be totally blocked)?  I assume this is the difference between hardware level protection and application level (like NTFS permissions)?

Very disappointing.

justscott's picture

1.) Add the USB you want to allow WRITE access to your Hardware Device List
 (Policies - Policy Components - Hardware Devices - Add Hardware Device)

2.) For the policy - Under application Control check
 make all removable drives read-only
    Then Block writing to removable media
            Block writing to all files and folders
                  For Actions - Your Read Attempt continues processing,
                  Create, Delete, or Write will be Blocked

3.) Under Device Control- Add the USB you added in Step 1 to the Devices Excluded from Blockin

justscott's picture

Under Application Control - Make All removeable drives read-only - Block writing to removable media (as well as Block writing to all files and folders)

add your writeable USB to "Do Not Apply this rule to the following processes".  screenshot attached:

 

WriteUSB.png
mancalledSun's picture

@justscott

Thanks but that is exactly what I am doing.

In theory this is correct, but can anybody actually confirm it is working?  Because I can't (and nor can Symantec!).

justscott's picture

and it's working.  2 additional differences that I have in place that  TECH138570 does not state (or recommend) are that I DO combine both application and device settings by placing my exception USB in excluded devices under device control.  Secondly, I add exception to my USB under Application control under both the Rule and Conditions: Block writing to removable media and the condition Block writing to all files and folders.

Could you attach screenshots?  I'll put together my policy

mancalledSun's picture

Just wanted to say that I have not had a chance to do this again just yet (Sym advised I try this, it didn't work for me).  But I will prepare screens if you standby.  Sorry for delay.

Dassy's picture

Hi,

I want to block all USB drives but wanted to permit read only access ,but to implement same, i am facing difficulties.

These are my Scenarios

  1. Block all USB Flash Drive,HDD drive but wanted to permit read only access to folders & files

  2. There are different kind of USB Data cards,like TATA Photon+, Reliance etc. available in market,if i  block USB drive(device id:36fc9e60-c465-11cf-8056-444553540000),then it stop responding,so please help me to apply what kind of policy.

  3. Also wanted to block writing to mobile phone USB drives also.

Can anyone help me on this.

Thanks,

Partha