Endpoint Protection

 View Only

  • 1.  Disabling USB Devices Only and Submitting Report to Email Address

    Posted Mar 24, 2015 09:20 AM

    Hello,

     

    I'm in need in assistance for one of my clients they are using Endpoint Portection version 11.0.5002.333. Network Threat Protection was setup in SEMP a while ago to disable usb devices as soon as they were connected then it would send an email to the manager notifying them of the attempt. Somehow this was disabled, deleted, etc. Not sure why it stopped. I've been trying to set it back up for the past couple of weeks, but it's not working correctly. So far I've gone in and created a new policy to disable usb devices and created exceptions for the devices that have been added by device id (guessing that they were set up this way to begin with), but that doesn't work. I then tried by disabling usb and having no exceptions. When I did that the users were able to access usb drives, but things like mice and keyboards and printers and scanners stopped. Not sure why. Any assistance would be greatly appreciated.

     

    Thanks in advance,



  • 2.  RE: Disabling USB Devices Only and Submitting Report to Email Address

    Posted Mar 24, 2015 09:22 AM

    In the device control section of the policy, you can add mice and keyboard to the exclusion list.

    https://www-secure.symantec.com/connect/forums/application-and-device-control-policy-e-mail-alert

    To setup email alerts, go to Monitors <> Notifications <> Notification Conditions and Add a Client Security Alert. Select Device Control and edit anythign else you need. In the policy make sure "Log detected devices" is checked

    Also, just so you know, SEP 11.x is end of support life and content updates have stopped. You should move to 12.1 as soon as possible:

    https://www-secure.symantec.com/connect/forums/symantec-endpoint-protection-110x-eosl



  • 3.  RE: Disabling USB Devices Only and Submitting Report to Email Address

    Posted Mar 24, 2015 09:36 AM

    But that's the thing though. I can add the exclusions fine, but it never seems to want to disable usb sticks. If I just select to disable usb, then all usb devices are disabled except for thumb drives. Doesn't make any since. I even update content after making the changes and applying the policy then wait about an hour and have them update the policy on their side just to be safe and still can't get it working.



  • 4.  RE: Disabling USB Devices Only and Submitting Report to Email Address

    Posted Mar 24, 2015 09:37 AM

    Sucks because in doing this yesterday I disabled their tape backups and trying to rectify that now.



  • 5.  RE: Disabling USB Devices Only and Submitting Report to Email Address

    Posted Mar 24, 2015 09:42 AM

    Did you add the mice/keyboards to the exclusion list?

    Are you adding the device ID to the blocked devices list? You can use devviewer

    Use DevViewer to find hardware device IDs for Device Blocking in Endpoint Protection



  • 6.  RE: Disabling USB Devices Only and Submitting Report to Email Address

    Posted Mar 24, 2015 10:21 AM

    I added the usb class id to the block list and different variations of device ids to the exclusion list. the exclusions work fine, just not the usb block list.