1 Reply Latest reply on Feb 24, 2017 1:14 PM by jhynds

    USB Defender - Testing and Implementation

    tpmobley

      I have accomplished the following for USB Defender configuration:

      • Uploaded text file whitelist to USB Defender Local Policy connector,
      • Created matching list on LEM as user defined group,
      • Loaded USB Defender Extended connector,
      • Cloned rule to Detach Unauthorized Devices.

       

      So I'm ready to test this, but before I do I need three questions answered:

      1. How do I test this on a limited set of machines, while being absolutely SURE it doesn't activate on the whole domain?
      2. I know that this disables ports when an unauthorized device is inserted, but what about devices that are ALREADY attached and being used? Does it shut down ports that are already in use or just when they are attached? ...what about reboots?
      3. Once an unauthorized USB device has been detached, is there a way to reactivate that port without PHYSICALLY reinserting it? If the detached device is added to the white list, will it become reactivated (without being reinserted)?

       

      Thanks for any feedback!

        • Re: USB Defender - Testing and Implementation
          jhynds

          Hey Timothy,

           

          Firstly, the USB Extended connector is typically used if customers want to detach peripherals like keyboard, mice, etc - so if you just want to detach USB storage devices I would recommend just using the standard USB Defender.

           

          - How do I test this on a limited set of machines, while being absolutely SURE it doesn't activate on the whole domain?

          Best approach is to create a User Defined Group of machine names you want to limit testing too. In your correlation rule you can then add the SystemStatus.DetectionIP = 'USB Test Machine' (or whichever you name you provide). This ensures that the rule will trigger only if the event is appearing on one of those machines.

           

          - I know that this disables ports when an unauthorized device is inserted, but what about devices that are ALREADY attached and being used? Does it shut down ports that are already in use or just when they are attached? ...what about reboots?

          USB Defender will only detach the unauthorized device, based on the Unique Identifier of the device. When a reboot occurs, USB Defender will look at the attached devices & detached unauthorized ones on startup. You can test to see which devices are detected within the Windows Event Logs - USB Defender event are there.

           

          - Once an unauthorized USB device has been detached, is there a way to reactivate that port without PHYSICALLY reinserting it? If the detached device is added to the white list, will it become reactivated (without being reinserted)?

          There is no way to re-activate the USB device from LEM without physically reinserting it.

           

          Let me know how your testing goes.

           

          Jamie

          1 of 1 people found this helpful