Loading...

Knowledge Center


How to block all USB drives and set exclusions for specific USB drives using Data Loss Prevention Endpoint 9.3
Technical Articles ID:   KB60861
Last Modified:  12/16/2016
Rated:


Environment

McAfee Data Loss Prevention Endpoint (formerly Host DLP) 9.3.x
McAfee ePolicy Orchestrator 5.x

Summary

This article explains how to block all USB drives using Data Loss Prevention Endpoint (DLP Endpoint) 9.3.x, leaving other USB types of hardware (keyboard, mouse, and so on) unaffected. It also explains how to set exclusions for authorized USB drives using DLP Endpoint 9.3.x.

NOTE: See KB86007 for information on how to block USB drives and set exclusions for specific USB drives using Data Loss Prevention Endpoint 9.4.x.

Video Tutorial

Solution

Block all USB drives using DLP Endpoint 9.3.x

IMPORTANT: Save your policies before making any changes.
  1. Log on to the ePO console.
  2. Click Menu, Data Protection, DLP Policy.
  3. In Device Management, click Device Definitions.
  4. Click Add New and select Removable Storage Device Definition.
  5. Add Block USB drives to the end of the Removable Storage Device Definition name.
    Example: Removable Storage Device Definition Block USB drives
     
  6. Double-click the Removable Storage Device Definition Block USB drives entry that you created in the previous step.
  7. Select Bus Type, select USB from the list, and click OK.
  8. Click OK.
  9. To save the policy changes, click Apply on the toolbar.
  10. In Device Management, click Device Rules.
  11. Click Add New and select Removable Storage Device Rule.
  12. Add All USB drives to the end of the Removable Storage Device Rule name.
    Example: Removable Storage Device Rule All USB drives
     
  13. In the list for this rule, locate the Removable Storage Device Definition Block USB drives entry, and select Include in the column on the right.
  14. Click Block. This selects Block, Monitor & Notify User entries.
  15. Click Next.
  16. If a group does not display in the list, click Add to create a group.

    NOTE: If the required group is displayed in the list, select that group and click Finish.
     
  17. In Find objects containing this folder, click the blank field.
  18. Type an appropriate group name, as defined in Active Directory, that you want to apply this policy to and click Search.
  19. In List View, select the found entry and click OK.
  20. Click OK.
  21. Click Finish.
  22. To save the policy changes, click Apply on the toolbar.

Solution

Add an exclusion for specific USB drives authorized for use

NOTE: If the DLP Endpoint agent is already installed, you must remove the previously stated policy to add this exclusion. Identification information for this specific USB drive is available in Device Manager. 

The following steps explain how to navigate through Device Manager to find identification information for the USB drive, and should be performed on the ePO server:
  1. Click Start, Run, type explorer, and click OK.
  2. Right-click My Computer, and select Manage.
  3. In System Tools, click Device Manager.
  4. At the top of the Computer Management window, click the View menu option and select Show hidden devices.
  5. Insert the USB drive to be excluded.
  6. Look for any additions that display in the Computer Management list. Typically these would display under Storage volumes, but they can also display in Disk Drives or similar locations.
  7. Right-click the device found in the Computer Management list, and click Properties.
  8. Click the Details tab and look for one of the following entries in the drop-down list:  
     
    • Device Instance ID
    • Device Serial Number
    • Vendor ID / Product ID  
       
  9. Copy (CTRL+C) the displayed entry. This will be used in step 8 in the following section.


Return to the DLP Endpoint 9.3.x policy in the ePO console to perform the following steps:

  1. Log on to the ePO console.
  2. Click Menu, Data Protection, DLP Policy.
  3. In Device Management, click Device Definitions.
  4. Click Add New, and select Removable Storage Device Definition.
  5. Add Excluded Drives to the end of the Removable Storage Device Definition name.
    Example: Removable Storage Device Definition Excluded Drives
     
  6. Double-click Removable Storage Device Definition Excluded Drives.
  7. Select Device Instance Id (Advanced)USB Device Serial Number or USB Vendor ID/Product ID (VID/PID Codes), then select USB from the list.
  8. Click Add New, type the information copied from Step 9 in the previous section, and click OK.
  9. Click OK to close the Removable Storage Device Definition Excluded Drives entry.
  10. To save the policy changes, click Apply on the toolbar.
  11. In Device Management, click Device Rules.
  12. Click the previously created rule, Removable Storage Device Rule All USB drives. Two Removable Storage Device Definitions entries are displayed.
  13. In the list for this rule, locate the Removable Storage Device Definition Excluded Drives entry, and select Exclude under the Excluded Devices column.
  14. Click Next.
  15. Click Block. This selects Block, Monitor & Notify User entries.
  16. Click Next.
  17. If a group is not displayed in the list, click Add to create a group.

    NOTE: If the required group is displayed in the list, select that group and click OK.
     
  18. Click the blank field under Find objects containing this folder.
  19. Type an appropriate group name, as defined in Active Directory, that you want to apply this policy to and click Search.
  20. Select the found entry under List View, and click OK.
  21. Click OK.
  22. Click Finish.
  23. To save the policy changes, click Apply on the toolbar.

NOTE: Save your policies with these changes applied, specifying a different filename (keeping the .OPG extension) than the previous one used in Solution 1.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.