Endpoint Protection

I recently upgraded my SEPM to RU1 MP1.  Afterward, my USB blocking policy got messed up.  I am trying to block all USB drives, but allow Kingston Encrypted Drives.  In creating a new policy, I cannot get the SEPM to recognize the Kingston USB drive, although I used DEVVIEWER.EXE, copied, and pasted into the hardware devices part of policies.

Have you tried plugging into a different system? Is Windows not recognizing it in Device Manager?

I have 2 PCs in the group with the policy applied.  One is XP and the other Win 7 32 bit.  I have blocked all USB drives through Application Control, and with devviewer.exe have found the device ID and put it into hardware devices.  After that, went back into the policy and set exceptions in each policy area for the Kingston Drive.  I did it exactly as it was in 12.1 ru1 (where it worked fine), but it is still blocked.

Yes, windows does recognize it in device manager.

Could you provide a little more info please?

• In what way is it messed up?  Is it now allowing all, blocking all?  What is the messed up behaviour?
• Are you using Application Control?  If so, what rules and how are they configured?
• Are you using Device Control?  If so, what devices are blocked/allowed and how are they defined (class guid/device ID.  You mention blocking USB drives, is this by the class for all USB or by a custom device ID entry)?
• What do the Control Logs say?

Cheers!

In what way is it messed up? Is it now allowing all, blocking all? What is the messed up behaviour?

It is blocking all USB drives...including the ones for which I had an exception.

Are you using Application Control? If so, what rules and how are they configured?

Yes using App Control...using in this order...

AC3 - applying to * and not applying to Kingston drive (id from devviewer)

AC4 - same

AC2 - same

AC5 - applying to *

AC9 - applying to * and not applying to Kingston drive (id from devviewer)

Are you using Device Control?  No

What do the Control Logs say?  When I plug in the Kingston drive, it says "block writing to all files and folders has blocked DTVP_Launcher.exe"  which is the file that launches the Kingston drive, which is an exception in the block writing to files.  I have even tried putting that specific file in to not block.  It is like it is not recognizing the fact that the drive is an exception.

This policy is working fine on a group of PCs that still have 12.1 RU1, but when applied to the group of PCs that have 12.1 RU1 MP1 it stops working.

I believe I have answered all of your questions...

Thanks!!!

Every time I've upgraded SEPM, it seems that something changes in the Application and Device Control policies. App & Device Control policies never seem to upgrade. I've found that the best thing to do is to create new App & Device Control policies. That way, you get all the new features in the new policies.

Don't know why Symantec can't seem to get App & Device Control policies to upgrade, but it never happens for me.

dsmith1954

Thanks...I have experienced the same.  I printed screenshots of my old policy and created a new policy and I didn't see any differences at all (could have missed something), but it still is blocking everything.

I have been banging my head against the wall for about 4 days trying to get something that worked fine before to work on the new version.

Thanks for your comments, though!

Have you tested with RU2 or RU2MP1?

It's just that RU2 includes a fix that sounds like it might apply here (I know it says for Win7x64, but it gives you an idea of the kind of problems fixed):

Taken from: http://www.symantec.com/docs/TECH199676

SMLatCST:

No I hadn't gotten past RU1 MP1.  Without upgrading all of the clients, can I skip over updates?  I didn't think I could.

Also, My Win 7 machine is 32-bit...although that still could apply.

My understanding of upgrading was to apply the update to the SEPM and then all of the clients before upgrading to the next update.  One step at a time.  Am I wrong?  Can I update the SEPM to the latest version and then update the clients to that version?

Thanks!

Yup it's perfectly supported to jump from almost any older version to a later RU* version.  It's the RU*MP* ones that require the stepped upgrade.

Please see migration paths below:

RU2:
http://www.symantec.com/docs/TECH197426

RU2MP1:
http://www.symantec.com/docs/TECH204449

And just for kicks, please also see my own IDEA for SEP enhancement to support for migration paths.  Please vote for it if you feel it would be of benefit.

https://www-secure.symantec.com/connect/ideas/support-more-sep-121-client-migration-paths

Did you read his posts? All of the pertinent questions were already answered - blocked, not allowed, yes to app and device control as it's all one piece, app control would have no imact unless it needed to launch a driver from itself.

He said it's messed up because it's BLOCKING even though he's doing the same thing he always did - block all, allow this one. It's the most basic of device conrol situations IMO. the most simple thing you can do in SEP device control is either to block ONE, in which case you need to nothing else, or block ALL, and alllow one, which is almost as easy, save for one added step.

I block alll "USBSTOR" and allow only our agency-owned encrypted usb devices - which I have allowed by their string that includes the "serial number". So even if someone brings in the exact same brand and model and size, it won't fly. If it's not on my list, it's blocked. (ask those who did a recent test on us. They were going to come in, plug in a drive, launch a piece of software to find holes. Funny how that worked out for them. They never got the device to function - not even on IT employee computers)

Not related. That's an issue only with application control in that if you have processes defined, want to block say using * but allow IE.EXE, or do similar things with folders, it wouldn't function correctly.
It did/does in 32bit, but that part of the app control had some, uh, problems with 64 bit.

I use app control "to the max" - it's what has kept us malware/virus/risk-free for over 25 months. That and SEP doing a find job on web content hits.

Hi

Please upgrade to SEP 12.1.2 MP1

Regards