Endpoint Protection

Ok, this is the first topic from me, I must have err when posting.

The situation is like this: we want to block all USB devices (except smart card readers, printers, and human interface devices) in order to prevent the removable devices (flash cards, usb sticks, memory cards) from being used.

Issue: there are some SD card readers (on notebooks) that are not USB-based, but rather PCI.

Sollution: block all Device IDs related to SD, after reading here: http://msdn.microsoft.com/en-us/library/ff546279(v=vs.85).aspx

Error: after adding to list of blocked devices these IDs: SD\CLASS_STORAGE and SD\ and assigning the policy, the SDs still work on those machines.

Refer to the following tech note:-

http://www.symantec.com/business/support/index?page=content&id=TECH104299

Hello and thank you for your answer. The SD card readers use the PCI bus therefore the tech solution you suggested does not apply since it reffers the Universal Serial Bus

Therefore we had to block each and every SD Controller using their Device ID (or "Device Instance Path" in W7)

Is it Ok for blocking SD card readers in laptop using device ID? whether it will block only SD card readers or other USB devices also?

If disabling the SD card reader *controller* is what you want, then disable its device ID. USB-based card readers must be disabled by opting to block USB devices.

This is found at the bottom of the Device control section of the Application and device control policy.  If so, you should be able to check from your sepm the device ID of these SD card readers and make a better informed decision of the format your 'hardware device' entry in the SEPM should take.

Of course if you happen to have access to one of these laptops that will work too :)

Don't forget that you can use wildcards for the creation of entries in the 'hardware devices' list.  What I mean is, have you tried using the below to identify the SD devices?

SD\*

we tried for blocking USB based readers.