4 Replies Latest reply on Mar 20, 2017 3:32 AM by silverwolf

    USB Defender

    tpmobley

      Needing help configuring USB Defender. I have followed all the steps to configuring it, but neither see an alert in the console nor are unauthorized USB devices shut down on the client machine. Here is what I've done:

      • Created a white list of approved devices (based on the Hardware ID value in Windows),
      • Uploaded the white list to the USB Defender Local Policy.
      • Enabled both USB Defender Local Policy and Windows Active Response connectors on test node.
      • Cloned and enabled Detach Unauthorized USB Device rule.

       

      Any help is much appreciated!

        • Re: USB Defender
          curtisi

          USB Defender Local Policy runs seperately from the USB rules on LEM.  The point of the UDLP is that, if the Agent is not connected to LEM, it can still block devices that aren't whitelisted.  The whitelist has a different format than the whitelist in LEM, however, so I'm betting that's where the issue lies.

           

          For the LEM rule, you're adding devices to a User Defined Group that the rule references, and that list looks something like this:

           

          2017-01-30 08_50_03-SolarWinds Log & Event Manager.png

           

          I've highlighted an example with a wildcard.

           

          The UDLP list, however, is a text file.  It's one-per-line with NO WILDCARDS.  However, it'll do "best match" so if a line terminates early, you can have that in the whitelist.  Ergo, in your UDLP file, if you added a line:

           

          USB\VID_148F&PID_761A\

           

          And left it at that, it would whitelist all those devices regardless of the specific device ID, where this example only whitelists one exact device:

           

          USB\VID_046D&PIND_0825\05D0CF60

           

          I hope that helps.

           

          Otherwise, with rules in general, the first thing I'd do is confirm that the LEM appliance has the correct time-zone and date/time for your deployment.

          2 of 2 people found this helpful
            • Re: USB Defender
              tpmobley

              Thank you curtisi. I had made the Local Policy white list, but had neglected to populate this one in the console. I am now able to automate detachment of mass storage devices not on the approved list, however I am still needing to be able to detach any USB device (including keyboards, mice, webcams, etc.) that are not on our approved hardware list. SolarWinds support tells me to use the "USB Defender Extended" connector, but I don't see that in the list of connectors. Additionally, Windows Event Logs doesn't seem to record anything but mass storage device attach/detach.

               

              Thanks for your help!

            • Re: USB Defender
              curtisi

              The way that USB Defender works (and all that it does) is log mass storage all device IDs to the Windows Application Event log.  The events look like this:

               

              Log Name:      Application

              Source:        TriGeo USB-Defender

              Date:          1/31/2017 4:23:20 PM

              Event ID:      32004

              Task Category: None

              Level:        Information

              Keywords:      Classic

              User:          DOMAIN\username

              Computer:      HOSTNAME.domain.com

              Description:

              USB Device Detached

              Device ID: USB\VID_0930&PID_6545\00187D0F56ACEE50D000339D

              Serial number: 00187D0F56ACEE50D000339D

              Device name: \\?\usb#vid_0930&pid_6545#00187d0f56acee50d000339d#{a5dcbf10-6530-11d2-901f-00c04fb951ed}

              Device path: \\?\usb#vid_0930&pid_6545#00187d0f56acee50d000339d#{a5dcbf10-6530-11d2-901f-00c04fb951ed}

              Friendly name:

              Description: USB Mass Storage Device

              Manufacturer: Compatible USB storage device

              Device setup class: USB

              Setup class guid: {36fc9e60-c465-11cf-8056-444553540000}

              Capabilities:

                  Lock supported: No

                  Eject supported: No

                  Removable: Yes

                  Dock device: No

                  Unique ID: Yes

                  Silent install: No

                  Raw device ok: No

                  Surprise removal ok: Yes

                  Hardware disabled: No

                  Nondynamic: No

              Configurations:

                  Disabled: No

                  Removed: No

                  Manual install: No

                  Ignore boot: No

                  Net boot: No

                  Reinstall: No

                  Failed install: No

                  Cannot stop a child: No

                  Can remove ROM: No

                  No remove at exit: No

                  Finish install: No

                  Needs forced configuration: No

                  Partial log configuration: No

              Driver software key: {36fc9e60-c465-11cf-8056-444553540000}\0014

              Service name: USBSTOR

              Device address: 1

              Bus number: 0

              Bus type guid: {9D7DEBBC-C85D-11D1-9EB4-006008C3A19A}

              Device type:

              Enumerator name: USB

              Legacy bus type: 15

              Hardware location:

              Physical device object name:

              Security descriptor:

              Hardware IDs::

                  USB\VID_0930&PID_6545&REV_0100

                  USB\VID_0930&PID_6545

              Compatible IDs:

                  USB\Class_08&SubClass_06&Prot_50

                  USB\Class_08&SubClass_06

                  USB\Class_08

               

              These events are sent to LEM by the LEM Agent, and the LEM looks at the data and matches it to rules and does (or doesn't) take an action depending on how you have it setup.  There is another version of USB Defender connector (the Extended edition) that creates parses these events for every USB device, and then you can have LEM check those events out or run them against USB Defender Local Policy.  You'll need to get that version from Support.

                • Re: USB Defender
                  silverwolf

                  When using the USB extended be very careful as a LOT of exclusions are needed if you decide to use it. Make sure you have check the regular USB Defender connector so that there are no configurations that you have missed before thinking of the USB Defender Extended edition.

                  1 of 1 people found this helpful