Endpoint Protection

We've been using SEPM device control to block all usb drives, but I was recently asked to add an exception for a couple of approved drives.  It was at this time I discovered that Symantec was NOT blocking these new usb devices.  Using Devviewer I discovered that new USB thumb drives and external drives are no longer using the same USB guid they have in the past.  In fact they now have the same guid as Disk Drives.  At this point I have been able to block the new devices by adding "disk drive" to the blocked section of device control for a test group. 

Has anyone else experienced this?  Is this the new standard for USB storage devices?  I have to make sure that Symantec is going to block only the USB attached drives and not ANY internal drives.

*edit* I have attached a screenshot from Devviewer.

I think is the  issue is  with the GUID...You  can try  to verify the  GUID for those  new  USB devices, using  Dev viewer...

Thanks for the response, but as I said in my initial post....

Using Devviewer I discovered that new USB thumb drives and external drives are no longer using the same USB guid they have in the past.  In fact they now have the same guid as Disk Drives.

What if you  try  to find the device ID from the device manager? Are they the same as that comes from Dev viewer?

on the machine where you are checking the device id

does that have sep to block USB?

I am unable to locate the guid within device manager.  On the Details tab I have along list of information include Device Id which does match what Devviewer is pulling on the items, but I don't see anything that looks like a guid at all.

@Rafeeq - I have checked on 2 PC's.  Mine, which is open to usb devices and a test machine that is in the new test group that is set to block USB and Disk Drives guid's.  Devviewer shows the same information on both.

I suppose it will be the Device ID that will be different. Check the Screenshot below

GUId will remian same

@Mudit - Right, I was able to locate this, however the deviceid is really only useful if I wanted to add an exception for a particular USB device.  What I need is to make sure that Symantec continues to block ALL usb drives, but since newer drives have the same guid as my "disk drives" and no longer "usb" (as per the the Hardware Devices under Policies within SEPM) I need to know that this is not something that will cause problems with internal HDD.

I understand that guid SHOULD remain the same.  However, if you look at the screenshot in the 1st post, you will see that a USB Thumb drive and a Western Digital internal HDD have the same guid.  Thus my current concerns about blocking this guid.

it wont as the HDD will start with DISK

I'm sure I understand that the deviceid starting with "disk" would matter in this situation.  I have attached the blocked devices section of my test policy.  As you can see the second guid I added is labeled by Symantec as "Disk Drive."  However, as stated previous, this guid is also what usb thumb drives and usb external drives are showing within devviewer...as well as the internal HDD's on at least 2 computers here.

You will not have any problem with the Internal HD.

When blocking or excluding any USB we would be looking into the USB Class GUID and Device ID. Check the Screenshot below

Ok...here's some new information...and this is really going to drive me crazy

While the device in question is plugged in I am seeing 2 instances for it under Windows Device Manager.  One under Disk Drives and one under USB Controllers.  If my SEP policy is to block both usb and disk drive guid then this device is blocked, but ONLY as far as disk drives are concerned.  The 2nd instance listed under the USB Controller section which lists the original USB guid is NOT shown as disabled and if I remove the Disk Drive guid from my block policy the device becomes enabled.

That being said, I can still plug in an older USB thumb drive and it WILL be blocked...

I have attached a screenshot showing 1 blocked old Iomega USB drive, 2 new Lacie USB drives not being blocked...

@Mudit - I completely follow what you are saying.  The problem I am having now is that based on the USB guid that you guys are showing me, these new usb devices are NOT being blocked.  I have to include the Disk Drive guid within my policy in order for them to be blocked.

Ok...so I guess you guys got tired of me :)

Anyway, here's the latest.  Appearently while I was out on vacation a little while back a new custom device was added within Symantec in an attempt to get it working on a computer.  This device just happened to be using the USB guid and because that ID was now in the exceptions, USB devices were not being blocked.  Thus when I noticed this disk drive thing.

I've removed this extra device from exceptions and like magic usb drives are being blocked again.

Was trying to check these things and was not able to re-produce this issue. Tried almost 6-7 different USB Flash Drives and USB HD.

So is it blocking all the USB those you wanted to?

It appears to be blocking all again in the groups designated as such.  Even had couple of users tell on themselves when this extra device was removed.