I would look at your Windows Application Event log for USB Defender events. USB Defender will log to the Windows Application Event log everything that is told is seen by the operating system. Inside that message is a ton of details that may lead you down the path as to why it is still being accepted. Perhaps it is coming up as a HID or something else. Unfortunately what is reported by Windows about a device is completely dependent on what the manufacture says the device is, so they could say a mass storage device is a HID (like a mouse).
Is shows up as a Rugged Raid under HD also shows up as a Portable Device under device manager. Under Application event log I see an event source TriGeo UBS-Defender. USB Device Attached Device ID, Serial number, Device name \\ pid_number, Description: USB Mass Storage Device.
That is showing USB-Defender is seeing it and allowing it to work. right?
2 of 2 people found this helpful
I think there are two critical things to understand about USB Defender:
The first is, USB Defender doesn't allow or disallow devices to work on a system in and of itself. All USB Defender does is improve the native Windows logging around USB devices, and add those logs (like the one you saw) to the Event logs so the LEM Agent can read the logs and send them to the LEM appliance for correlation.
Second, USB Defender notices and creates logs for ALL USB Devices. Keyboards, drives, etc.
LEM (by way of USB Defender) only looks for and takes action against devices that have the "Mass Storage" descriptor, like this one:
I also have a Western Digital MyBook plugged into the same system, and it does not have a Mass Storage tag. It shows up as a disk drive, along with my RAID and NVMe controllers. Obviously, having LEM disable or detach disk drives would be a bit of a problem. As wolram said, these tags are assigned (sometimes arbitrarily) by vendors, so not much we can do about that.