Video Screencast Help

By Symantec Endpoint Protection, how can I disable those Wifi tethering USB device?

Created: 26 Jun 2012 | 6 comments

As subject, how can I disable Wifi tethering USB device by Symantec Endpoint Protection?

Comments 6 CommentsJump to latest comment

Mithun Sanghavi's picture


Check this Article:

How to Block or Allow Devices in Symantec Endpoint Protection

Check these Threads:

Hope that helps!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

isaacho's picture


Our situation is our staff bring their own USB tethering device to share our network to others and i would like to block this behaviors.

would there be any speecific category that will block those USB tethering device?

Simpson Homer's picture
How to Block or Allow Devices in Symantec Endpoint Protection

You would like to block or allow specific devices in Symantec Endpoint Protection (SEP) 11.x or 12.1.x using the Application and Device Control (ADC) features.


There are two ways that devices can be identified in SEP 11.x and 12.1:

  1. by Class ID
  2. by Device ID

There are advantages and disadvantages of using either method and there is a different functionality for each method. 

This article discusses these two IDs and how to use them in SEP.

Class ID

A Class ID is a generic category of devices that are designated by the Windows operating system.  A Class ID is always listed as a GUID.  Here are examples of Class IDs (GUID):

  • Disk Drives - {4d36e967-e325-11ce-bfc1-08002be10318}
  • Storage Volumes - {71a27cdd-812a-11d0-bec7-08002be2092f}
  • USB devices - {36FC9E60-C465-11CF-8056-444553540000}
  • DVD/CD-ROM - {4D36E965-E325-11CE-BFC1-08002BE10318}
  • IDE - {4d36e96a-e325-11ce-bfc1-08002be10318}
  • PCMCIA - {4d36e977-e325-11ce-bfc1-08002be10318}

In SEP, wildcards are not supported on Class IDs.

For a list of Class IDs, click here.

Device ID

A Device ID (also known as a Device Instance ID in Windows) is a specific ID that is given to each device.  A Device ID can be more effective for blocking or allowing devices because it is made by concatenating a list of data about the particular device.  Device IDs are generally in a more readable format.

Here are two common formats for Device IDs:

<class>\<type>&<vendor>&<model>&<revision>\<serial number>

<class>\<type><vendor><model><revision>\<serial number>

Here are examples of Device IDs:

  • SanDisk Micro Cruzer - USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_MICRO&REV_2033\0002071406&0
  • Apple iPod - USBSTOR\DiskApple___iPod____________1.62\4&3656B0&0
  • Hitachi IDE Hard Drive - IDE\DISKHTS541060G9SA00_________________________MB3IC60H\4&14AA9DA8&0&0.0.0

For Device IDs wildcards are supported: * and ?.

  • Asterisk [*] - means zero or more of any character
  • Question mark [?] - means a single character of any value

Here are examples of using wildcards:

Any USB Storage device


Any USB Disk


Any USB SanDisk drive


Any USB SanDisk Micro Cruzer drive


A specific SanDisk device


 It is recommended to use Device IDs over Class IDs in most cases.

Hardware Devices

Both the Class IDs and the Device IDs can be added to the SEPM under Policy Components Hardware Devices section.



Device Viewer

On the SEP CD or DVD, under the Tools\NoSupport folder look for Device Viewer (DevViewer). The Device Viewer can be used to get either the Class ID or the Device ID of a particular device. It would assist copying the IDs to the clipboard and then paste into the SEPM.



The Device Viewer also gives the ability to view devices by type or by connection.

By type:



By connection:


Device Control

SEP has the ability to block devices using either Application Control or Device Control. Device Control gives the ability to completely disable a device. When a device has been disabled this way, it will be seen as disabled in the Windows Device manager. Device Control can ensure that the device specified cannot be used in the SEP client system at all. Device Control can use both Class IDs and Device IDs.


Device Control can also block devices at any node in the tree. If a device is blocked at one node then all devices below that node (all children) will be blocked also. Conversely if a device is excluded on a particular node, then all the devices above that node will also be excluded.

In the example below, to block the SanDisk Cruzer, block it by blocking the USB Mass Storage Device:

Note: on Windows 2000, XP and 2003 if a USB device is disabled with SEP's Device Control then the operating system will power down that device.

Devices such as Androids, iPods, cameras and other types of portable devices will not be able to get charged.  On newer operating systems such as Windows Vista, Windows 7 and 2008 the operating system will allow the devices to receive power even if they are disabled.

Application Control

Application Control feature would assist in performing a more granular blocking of devices. Application Control is a very powerful engine that controls the block or allow of reads, writes or execute commands on a device, including controlling what applications can be used.
For example; Creating a policy using Application Control to block any program that is running off a USB drive from changing the registry or modifying files on the host computer. With Application Control, Device IDs could be used.  Class IDs will not work.  Device IDs are allowed in the following places:

Program Definition

  • Application Rule process
  • Launch process
  • Terminate process


File Definition

  • File Access
  • Load DLL


Only blocking a device with Application Control that is at the end of a node in the tree could be performed, unless the end node is "Generic volume" or "Storage volume".  In these two cases, the device that is one up from the last node (the parent of the last node) would be blocked.
In the example below, SanDisk Cruzer Micro cannot be blocked at either the "USB Mass Storage Device" node or at the "Generic volume" node:



Most Device IDs that are supported by Application Control will have one of these types:




  • Example: FDC\GENERIC_FLOPPY_DRIVE\4&371082C9&0&0


  • Example: IDE\DISKHTS541060G9SA00_________________________MB3IC60H\4&14AA9DA8&0&0.0.0


  • Example: SCSI\DISK&VEN_WDC_WD50&PROD_00KS-00MNB0&REV_700.\4&1291CDED&0&000

Note: Application Control can only block devices that are seen by Windows as disk drives and have drive letters associated with them.  Devices that do not add drive letters (such as an iPhone or iPad) will need to be blocked using Device Control.

isaacho's picture

Thanks Simpson Homer.

i found the post are mainly focus on USB storage device.

How should i identify USB wifi tethering device? smiley

BobC_'s picture


One way to protect against Tethering is with a combonation of Host Integrity, Firewall Policy and Location Awareness.  An HI policy is available to provide this protection.  In SEP 11.x and 12.1 (up to RU1MP1) the policy would have to be imported.  In next SEP release (very soon) this will be native and not require policy import.  Feel free to send me an email or message with your contact info if you are still looking for a way forward with this....