Endpoint Protection

Hi, My company has SEP11 and wants to use it to block writing to not encrypted USB sticks. That's an easy enough policy to implement. However now we also have a number of users that have been issued an external HDD and they should still be able to write data to it. The external HDD's are from different brands and various sizes . Now how do I implement that? So far I've made a new Rule Set and in there I've added two new "File and Folder Access Attempts" conditions. The first one triggers when "Only match files on the following device id type": "*VEN_MXI*" and the action to take is allow read and write. That's for the encrypted USB sticks; they all are from one vendor. The second condition triggers when "Only match files on the following drive types": "Removable drive (floppy drive, USB drive, etc)" and the action is allow read but block write. That all works well but how do I allow external hard drives because the second condition blocks writing to USB sticks and drives? Should I get the serial numbers of the drives and white list them somehow? What is the smartest way? Kind regards, Tom

follow this document

How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/b54beb2f46268ccc882574e80052960f?OpenDocument 

Open the Symantec Endpoint Protection Manager
2.    Click on Policies
3.    Expand Policy Components
4.    Click on Hardware Devices
5.    Click Add a Hardware Device...
6.    In the field Device Name: usbstorage Note: This can be anything
7.    Choose Device ID: USBSTOR\*  (Note: This must be all capital letters and must be spelled correctly)
8.    Click OK

How to add USB by device ID

On the Symantec_Endpoint_Protection_11.0.XXXX.XXX_MRX_AllWin_EN_CD2.xxx you will find the TOOLS/NOSUPPORT/DEVVIEWER. Download the DevViewer.exe file.

1.    Place a USB thumb drive in the USB port
2.    Open the DevViewer utility
3.    Expand Disk drives in the DevViewer
4.    Select USB Flash Memory USB Device
5.    In the right hand panel under USB Flash Memory USB Device right click in the panel and choose Copy Device ID.
6.    Open the Symantec Endpoint Protection Manager
7.    Click on Policies
8.    Expand Policy Components
9.    Click on Hardware Devices
10.    Click Add a Hardware Device...
11.    In the field Device Name: Allow USB  (Note: This can be anything)
12.    Choose Device ID: and paste the device id for the USB in the field
13.    Click OK



How to create a rule that will allow only specific USB’s on to your network.

1.    Click on Application and Device Control
2.    Edit Application and Device Control
3.    Highlight Application Control
4.    Check the box next to Block writing to USB drives
5.    Choose Edit
6.    Under the Rules column choose Add > Add Condition File > Folder Access Attempts
7.    The File and Folder Access Attempts Folder Access Attempts must be highlighted
8.    On the Properties tab Enable this rule should be checked
9.    Under Apply this rule to the following files and folders:
10.    Click Add
11.    In the File or Folder Name To Match field type *
12.    Use wildcard matching(* and ? supported) should be checked
13.    Check the box Only match files on the following device id type
14.    Choose Select button
15.    Browse to the Device Name: usbstorage (Note: this may have been named something else based on your naming convention)
16.    Click OK        
17.    Under do not apply to the following files and folders choose Edit
18.    In the File or Folder Name To Match field type *
19.    Use wildcard matching(* and ? supported) should be checked
20.    Check the box Only match files on the following device id type
21.    Choose Select button
22.    Browse to the Device Name: Allow USB (Note: this may have been named something else based on your naming convention)
23.    Click OK     
24.    Select the Actions tab
25.    In the Read Attempt column choose Block access – ( Note: Enable logging if you would like to log the attempts)
26.    Check the box Notify User:
27.    Create a notification by typing something in the field Note: this can be what ever you want
28.    In the Create, Delete, or Write Attempt column choose block access
29.    Check the box Notify User:
30.    Create a notification by typing something in the field Note: this can be what ever you want
31.    Click OK
32.    Click OK again
33.    Apply to the groups you want to associate this policy with
34.    Reboot clients

Note: This will work on a 32bit server but will not work on a 64bit server but all features must be installed. AntiVirus and Antispyware, Proactive Treat Protection, Network Threat Protection


Note: This will work on all workstations but all features must be installed. AntiVirus and Antispyware, Proactive Treat Protection, Network Threat Protection

Rafeeq has already suggested the right solution whih is mentioned in knowledge base of Symantec

Create a policy to block all USB drives and in the exception you can add all the drives which are suppose to be used.As earlier posters told you can use devviewer to find out the device id.You can also use wild cards as described in the below example.

Start using our DevViewer utility on CD2, you can see device ID's and Class ID's from that.  For more information on Device ID's see here: http://msdn.microsoft.com/en-us/library/ms791083.aspx

Suffice to say, you can use wildcards in the device ID to match based on device type, manufacturer, etc.
For instance on my machine, I have a USB device (Apple iPhone) which is recognized as:

\USB\Vid_05ac&Pid_1292\9f5bce6ec6831ba6c2520874ebca5f1ce17ac5c6

If I wanted to block that single device I could use the above string.

If I wanted to block all Apple iPhones, I could use the following:

\USB\Vid_05ac&Pid_1292\*

If I wanted to block all Apple USB devices, I could use this:
\USB\Vid_05ac*
If I wanted to block all Apple devices, I could try this:
\*\Vid_05ac*
In the above example,

Vid_05ac - Vendor ID 05ac - Apple

Pid_1292 - Product ID

Hi Everyone, Thanks for all your kind answers and the answer that Rafeeq gave was indeed very good. However I forgot to mention that we estimate that there are somewhat between 100 and 200 of those HDD floating around. Another thing is that we expect the HDD to be from various vendors and I don't see how I can use a wild card like AravindKM suggested. My hunch is that _IF_ we put in all 100 or so devices with their specific device ID (upto the serial nr.) then that will clogg up the policy processing on the client side and on the server side it will be a pain to maintain. When dreaming of a solution I thought that it could be nice to have SEP check for the existence of a digital certificate on the HDD that would allow / certify the use of that particular HDD. The certificate should then include the specific device ID and must be signed by the server. Of course such a certificate may only be give out by the certifying authority. I guess that functionality is not implemented in SEP. However I was wondering if I could accomplish some solution in another way. Kind regards, Tom

I think it would be better to block few , then allow many :)
Please add it under ideas section, would help to make the product better and stronger :))