Endpoint Encryption

 View Only

  • 1.  How to deny read access to USB-devices. Allow write access only

    Posted Aug 06, 2012 02:57 AM

    For security reason, we want block read access to USB-flashdrive/pendrive/portable-disk. We only want to allow write access.

    When I define a "Device Control" policy, I can only block the "USB" devices. I cannot block read attempt only and allow write attempt.


    When I define an "Application Control" policy for the explorer application, I can set up a "block read access" for a specific directory on "removable drives". Symantec blocks the read attempt , but allows a write attempt to the specified directory. This is OK.
    But, with the same policy, when I specify the wildcard (*) directory to block all files and directories, I cannot write to the device anymore. Windows blocks the attempt.
    Any idea how to solve this issue?

    We use Symantec Endpoint Protection 12.1.1 on Windows 7 Professional platform.



  • 2.  RE: How to deny read access to USB-devices. Allow write access only
    Best Answer

    Posted Aug 06, 2012 04:15 AM

     We want block read access to USB-flashdrive/pendrive/portable-disk. We only want to allow write access.

    This is not possible that you want to block read access and allowing only write access,you can set only two permissinon.

    1) Block write access

    or

    2) Full block Read / Write

     

    Few Articles for your Quick Accessability:

    1) How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.

     
     
    2) How to block USB flash drives while allowing other USB devices.
     

     

    How to block or allow device's in Symantec Endpoint Protection

    https://www-secure.symantec.com/connect/articles/how-block-or-allow-devices-symantec-endpoint-protection

     

     



  • 3.  RE: How to deny read access to USB-devices. Allow write access only

    Posted Aug 06, 2012 05:17 AM

    Is that Windows would normally require read access (to check permissions and available space and the like) before it is able to write to a device.

    Soooooo, with that in mind, what happens if you add "explorer.exe" (without the quotes) to the "Do not apply this rule to the following processes:" field?  This is found in the rule properties, not the condition properties.

    Doing this should give Windows the info it needs to be able to write to a drive, while still blocking other processes (e.g. winword.exe, cmd.exe) from reading from the drive.  The problem is that with this exception in place, users would be able to copy from a removable drive.  Is that acceptable?  What is it you want to accomplish?

    BTW, you've posted this thread in the Encryption forums instead of the SEP forums.



  • 4.  RE: How to deny read access to USB-devices. Allow write access only

    Posted Aug 06, 2012 06:28 AM

    Thanks for your information.



  • 5.  RE: How to deny read access to USB-devices. Allow write access only

    Posted Aug 06, 2012 07:39 AM

    Thanks for your information.

    I suppose you are right and I should change my policy.

    I will block all USB-drivers and only allow a USB-drive with the right hardware ID.

    BTW, sorry for posting in the wrong forum. Can I move this thread to the right forum?



  • 6.  RE: How to deny read access to USB-devices. Allow write access only

    Posted Aug 06, 2012 08:02 AM

    ...too much about which forum you've posted in, as long as you have the info you need.  It's more just to make sure you get the help you need, as the SEP bods might not be looking at the Encryption forums.

    You should be able to click on an "Edit" link right at the top of this thread to change where it's listed.

    Finally, it'd be much appreciated if you could mark any posts you find useful with a "Thumbs Up" or as the Solution.  Ta wink