Twin Cities Security User Group

 View Only

  • 1.  Device ID in DLP 11.5.1 and regular expressions

    Posted Aug 15, 2012 11:12 AM

    I would like to create one regular expression for all encrypted Kingston USB Flash drives

     

    Our DLP sytem version 11.5.1 does not recognize Device IDs with an * (Wild Card) in the Device Definition (Regex)

    We have one approved USB encrypted removable media device. The device is a Kingston Data Traveler Vault. When I run the device ID tool (Part of Endpoint agent tools) against the Kingston Flsh drive device I get a regular expression similar to the one below:

    USBSTOR\\DISK&VEN_KINGSTON&PROD_DTVAULT_PRIVACY&REV_PMAP\\000FFEF335F0BC61C0000000&0

    class>\<type><vendor><model><revision>\<serial number>

    My thought process is, all parts of the regex will remain the same across all Kingston encrypted flash drives except the last part <Serial number>. so I tried creating a device ID regex with the wild card *:

    USBSTOR\\DISK&VEN_KINGSTON&PROD_DTVAULT_PRIVACY&REV_PMAP\\*

    The system recognizes the device if I include the serial number but it does not when I use the * wildcard

    Thank you in advance!

     



  • 2.  RE: Device ID in DLP 11.5.1 and regular expressions

    Trusted Advisor
    Posted Aug 15, 2012 11:23 AM

    If you read the online help, it will tell you what REGEX characters work.

     

    I do not think * work in this useage. Try it without the *.



  • 3.  RE: Device ID in DLP 11.5.1 and regular expressions

    Posted Aug 15, 2012 11:48 AM

    Thank you for your response

    I tried:

    USBSTOR\\DISK&VEN_KINGSTON&PROD_DTVAULT_PRIVACY&REV_PMAP\\

    USBSTOR\\DISK&VEN_KINGSTON&PROD_DTVAULT_PRIVACY&REV_PMAP

    Neither worked

    Also tried + at the end



  • 4.  RE: Device ID in DLP 11.5.1 and regular expressions

    Trusted Advisor
    Posted Aug 15, 2012 12:48 PM

    What version of DLP are you using? if it is prior to 11.1, you may have a known issue.

    https://kb-vontu.altiris.com/display/1n/kb/article.asp?aid=54479&n=2&s=

     

    Problem Summary
     
      Created a policy to block copying files to all USB devices except 2
    hardware encrypted USB devices - SanDisk and Verbatim. The exception is defined based on DeviceID.

    The policy looks like this:

    Rule: Removable Storage (Protocol)
    Exception: SanDisk DeviceID in RegEx format
    Exception: Verbatim DeviceID in RegEx format

    The RegEx for the device ids are collected from the output of DeviceID.exe
    utility. These devices are seen under Device
    Manager->Disk Drives.

    The exception does not appear to be working without restarting the edpa process.

     

    Solution
     
     

    When the EDPA process is running and you plug-in a hardware encrypted USB, EDPA gets a device control event. EDPA queries all devices attached (to create the device id map) but fails querying the hardware encrypted USB's (GetVolumeInformation() fails) because these devices needs to be unlocked (and it's drive is seen as CDFS). To unlock the USB, user is prompted to provide a password when the user clicks this USB drive. But before user completes this task, EDPA completes creating the device id map. And this map does not contain the hardware encrypted USBs.

    The only workaround is to restart the EDPA process before copying to the USB drive.  This is not feasible, since the end user is not aware of the issue.

    This is fixed in 11.1.1 per etrack 2374979.

     



  • 5.  RE: Device ID in DLP 11.5.1 and regular expressions

    Posted Aug 15, 2012 01:01 PM

    We are on 11.5.1010.07001, so this should have been fixed, but it appears this was not fixed, I restarted the service (EDPA) and still no go. I'll read through the etrack. I also have a ticket opened with Symantec



  • 6.  RE: Device ID in DLP 11.5.1 and regular expressions
    Best Answer

    Posted Aug 15, 2012 03:09 PM

    Resolution: I just had to add a . (period) before the * (wildcard) Details below

    Here is the resolution to the question I had, Symantec support was able to answer my question and I did test it successfully:

     

    Below is a DeviceID.exe result for a USB 3.0 device, showing both the ID as read, and the REGEX for that ID as suggested by the tool (To get the Device ID, run the DeviceID.exe tool from command prompt) : 

    Dev ID: USBSTOR\DISK&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_2.18\0000060435096770&0
    Regex:  USBSTOR\\DISK&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_2\.18\\0000060435096770&0

    And here is a REGEX string that shows wildcard for above device with the serial number removed from the REGEX - note that the wildcard format after the last pair of slashes is ".*"

    Regex:  USBSTOR\\DISK&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_2\.18\\.*

    Note that in testing, the single backslash before the period seems to make no difference in the detection - the tool will "see" the DeviceID either way, with or without the single backslash (either "2.18" or "2\.18" to use the above example).

    In testing, changes to the DeviceID configuration were updated on the Endpoint Server immediately, and did not require recycling of services to take effect.