To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Whitelist a specific USB mass storage key with F-Secure Endpoint

Options
apache
apache W/ Member Posts: 1 Security Scout
in WithSecure Elements Endpoint Protection

Hi,

I use F-Secure Endpoint in version 15.30 .

I blocked by default all the USB Mass storage devices on all workstations. Now I would like to whitelist a specific USB but it doesn't seem to work.

Anyone already faced this issue?

Capture.PNG

Thank you for the help

Answers

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 221 Moderator
    Options

    Hi @apache

    Thank you for reaching out the WithSecure Community,

    For USB devices, Device ID from Device Manager should be viewed from the following;

    Device Manager > Disk Drives > USB partition

    The reason is when you insert USB device into a PC it is not necessarily detected as as a single device in Windows, because of the possibility of partitions. So, if some flash drive has several partitions on it, it will be detected as both "USB Mass Storage Device", with every partition presented as a separate 'device' under Disk Drive. This is reflected in Policy Manager alerts and Elements Security Events. 

    To know various Class please check this page, (Scroll down and find Device Classes):   https://en.wikipedia.org/wiki/USB

    Follow these instructions to find the hardware ID either with Policy Manager or Windows Device Manager.
    In Advanced view:

    1. Open Policy Manager and go to Device Control > Statistics.
    Use Hardware IDs, Compatible IDs and Device Class columns to find the ID of the device that has been blocked.
    2. If you cannot find the ID using the statistics or the device has not been blocked yet, open Windows Device Manager
    in the client computer.
    3. Find the device which ID you want to know in the list of devices.
    4. Right-click the device and select Properties.
    5. Go to Details tab.
    6. Select one of the following IDs from the drop-down menu and write down its value:
    • Hardware IDs
    • Compatible IDs
    • Device class guid

    You can refer to the following article to know more information https://community.withsecure.com/en/kb/articles/5517-blocking-device-access-using-predefined-rules

    https://community.withsecure.com/en/kb/articles/29565-withsecure-elements-device-control-not-blocking-write-access-or-executable-launching-on-usb-mass-storage-devices

    If the issue remain, could you please upgrade it to latest version 16.x for Policy Manager/Client Security/Server Security and check again?

    If you have any further questions or need assistance in setting up these rules, please let me know.

    Best regards,
    Sethu
    Community Moderator | Technical Support Engineer
    WithSecure™ https://www.withsecure.com/en/home

Categories