Loading...

Knowledge Center


How to block all USB drives and set exclusions for specific USB drives using Data Loss Prevention Endpoint
Technical Articles ID:   KB86007
Last Modified:  5/8/2019
Rated:


Environment

McAfee Data Loss Prevention (DLP) Endpoint - all supported versions

For details of DLP Endpoint supported environments, see KB68147

Summary

This article explains how to block all USB drives using DLP Endpoint and leave other USB types of hardware, such as the keyboard and mouse, unaffected. It also explains how to set exclusions for authorized USB drives.

Steps to block all USB drives using DLP Endpoint:
  1. Log on to the ePO console.
  2. Click Menu, Data Protection, DLP Policy Manager.
  3. In Definitions, click Device Control, Device Templates.
  4. Click Actions, New Item, Removable Storage Device Template.
  5. Add Block USB drives to the name of the definition.
  6. Add the Bus Type property and change the value to USB. Leave the Comparison to Equals.
  7. Click Save.
  8. Create a Rule Set or open an existing Rule Set.
  9. In the selected Rule Set, click Device Control, Actions, New Rule, Removable Storage Device Rule.
  10. Name the rule Block All USB drives Removable Storage Device Rule.
  11. Change State to Enabled.
  12. Select the appropriate users to assign the rule.
  13. In Removable Storage, select Block USB Drives in the context menu.
  14. Click the Reaction tab and select Block under the Prevent Action drop-down list.
  15. Configure User Notification and Report Incident as appropriate.
  16. Under the Computer disconnected from the corporate network section, leave the Prevent Action set to React the same way as connected system.
  17. Click Save.
  18. If a new Rule Set was created, select Activate the Rule Set in DLP Policy in the Policy Catalog.
  19. If no new Rule Set was created, navigate to the Policy Assignment tab in the DLP Policy Manager and apply the appropriate policy.
 
Steps to add an exclusion for specific USB drives authorized for use:
  1. Click Start, Run, type explorer, and click OK.
  2. Right-click My Computer, and select Manage.
  3. In System Tools, click Device Manager.
  4. At the top of the Computer Management window, click the View menu option and select Show hidden devices.
  5. Insert the USB drive to be excluded.
  6. Look for any additions that display in the Computer Management list. Typically, the additions display under Storage volumes, but they can also display in Disk Drives or similar locations.
  7. Right-click the device found in the Computer Management list, and click Properties.
  8. Click the Details tab and look for one of the following entries in the drop-down list:
    • Device Instance ID
    • Device Serial Number
    • Vendor ID / Product ID
  9. Copy (CTRL+C) the displayed entry. This entry is used again in step 8 of the following procedure.

Return to the DLP Policy Manager in the ePO console to perform the following steps:
  1. Log on to the ePO console.
  2. Click Menu, DLP Policy Manager.
  3. In the DLP Policy Manager, click the Definitions tab.
  4. Expand Device Control and select Device Templates.
  5. Click Actions, New Item, Removable Storage Device Template.
  6. Name the Definitions: Excluded Drives.
  7. Add the USB (VID/PID Codes) property.
  8. Leave the Comparison set to Equals and add the Vendor ID (VID) and Product ID (PID) gathered in the previous steps.
  9. Click Save.
  10. Go back to DLP Policy Manager, click the Rule Set tab, and click the Rule set created in Solution 1, Step 18.
  11. On the Device Control tab, select the Block All USB Drives Removable Storage Device Rule created in Solution 1.
  12. Click the Exceptions tab, and then click the Excluded Device Templates section, next to Removable Storage is one of (OR), click the Selection box (gray box with 3 dots) button and select Excluded Drives.
  13. Click Save.
  14. Click Close in the DLP Rule Set.
  15. Click Policy Management.
  16. Apply the policy by clicking Actions, Apply Selected Policies and select the appropriate policy.

Steps to add an exclusion for encryption applications that reside on USB drives:
  1. Log on to the ePO console.
  2. Click Menu, DLP Policy Manager.
  3. In the DLP Policy Manager, click the Definitions tab.
  4. Expand Source/Destination and select Process Name.
  5. Click Actions, New.
  6. Name the Process Name definition USB Excluded Processes.
  7. Add the appropriate process name that corresponds with the encryption application on the USB drive in the Process Name field.
  8. Click Add, Save
  9. Click Save.
  10. Open the Block All USB Drives Removable Storage Device Rule created in Solution 1.
  11. In the Process Name section, next to is none of (NOT), click the Context menu and select USB Excluded Processes.
  12. Click Close in the DLP Rule Set.
  13. Click Policy Management.
  14. Apply the policy. Click Actions, Apply Selected Policies and select the appropriate policy.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.