Endpoint Protection

Recently I have run into this and I'm stumped. The Application and Device Control policy isn't working correctly.

I have nothing set at Applications and for Devices I'm blocking CD/DVD and USBSTOR* and I've got Human Interface Devices excluded. Yet USB sticks still connect sometimes on some of the Windows XP boxes. When I plug in a USB stick I get the Autoplay pop-up and then sometimes I even see the SEP pop-up saying that the device has been disabled, even though it hasn't been. Usually the USB is blocked the second time it's getting plugged in, but not always.

I haven't seen this on Windows 7 so far.

Anyone has experienced anything similar to this?

Thank in advance!

Check the blog

https://www-secure.symantec.com/connect/blogs/knowledge-base-articles-adc-policy

What version of SEP is this for?

Hi,

Check this download

https://www-secure.symantec.com/connect/downloads/sep-policy-block-usb-and-exclude-keyboard-and-mouse

How to Block or Allow Devices in Symantec Endpoint Protection

http://www.symantec.com/business/support/index?page=content&id=TECH175220

https://www-secure.symantec.com/connect/forums/sep11-application-device-control-problem-usb-set-read-only-w-write-exemptions-does-not-work

Check this thread and mithun comments and find the device id and ADD Exclusion list in adc policy

https://www-secure.symantec.com/connect/forums/sep-device-control-problem#comment-8348671

I'm using SEP 12.1

I know the whitepapers and the detailed guides and I have already read them and implemented what is recommended there. But it's not working on some of the machines. And that's what I do not get. Why on some machines the policy is working fine, and on other machines it's not.

Hello,

How many machines is this issue occurying on?

Is the ADC and Firewall Feature install on these machines?

Is the Policy being reflected in these client machines?

Were these machines restarted atleast once after the policies were applied??

Could you try uninstalling 1 SEP client and reinstalling SEP with full feature set and check if that issue gets resolved.

What version specifically? I'm looking thru fix notes for the versions of 12.1 to see if this may have been a bug. But, if already on 12.1.2 than this may be something new.

From what I can tell I have already almost 20 machines that are experiencing this issue right now.

The ADC and Firewall features are installed and the machines are up to date and communicating properly to the Manager. Some of the machines have been restarted but the issue still persists. The same policy is working fine on nearby machines, but not on the ones with issues. So far I haven't been able to identify a root cause for this, which is what I'm really interested in.

If I can't count on the policy to be enforced after it's being applied then there is no way for me to know for sure that it's working, or if it stops working again sometime in the future. I already have defects regarding this in an internal audit and in an external one this could turn out very bad. That's why uninstallation is not a solution. This stuff has to work.

The clients that are having this issue are 12.1.1000.157 and 12.1.1101.401.

It's not possible for me to upgrade them to 12.1.2015.2015 yet (but it's planned for the future).