• State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 22 subscribers
  • Views 436 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

LEM external powered USB HD

mattbaer

We have a white list for approved devices. It works great for only allowing the approved Blu-Ray/DVD/CD burners, thumb drives, and USB floppy drives. If it is not on the appoved list the device is ejected, a message pops up "This USB device is not approved" and an email is sent to security. But if a external powered USB HD is plug in to the system LEM does not block it. The drive works. Can copy files to and from. Does LEM not treat external powered USB HD the same as thumb or burners? One of the drives that works with out being on the approved list is a Lacie Rugged Mobile Storage. i removed all devices from the approved list. Just to make sure I didn't have a typo that might allow the device. Doing this stopped the approved devices from working with the "This USB device is not approved" message. This verified that LEM is working with the exception of external powered USB HD.

Thanks for any help.

  • 0

    I would look at your Windows Application Event log for USB Defender events.  USB Defender will log to the Windows Application Event log everything that is told is seen by the operating system.  Inside that message is a ton of details that may lead you down the path as to why it is still being accepted.  Perhaps it is coming up as a HID or something else.  Unfortunately what is reported by Windows about a device is completely dependent on what the manufacture says the device is, so they could say a mass storage device is a HID (like a mouse).

  • 0

    Is shows up as a Rugged Raid under HD also shows up as a Portable Device under device manager. Under Application event log I see an event source TriGeo UBS-Defender. USB Device Attached Device ID, Serial number, Device name \\ pid_number, Description: USB Mass Storage Device.

    That is showing USB-Defender is seeing it and allowing it to work. right?

  • 0 in reply to mattbaer

    I think there are two critical things to understand about USB Defender:

    The first is, USB Defender doesn't allow or disallow devices to work on a system in and of itself.  All USB Defender does is improve the native Windows logging around USB devices, and add those logs (like the one you saw) to the Event logs so the LEM Agent can read the logs and send them to the LEM appliance for correlation.

    Second, USB Defender notices and creates logs for ALL USB Devices.  Keyboards, drives, etc.

    LEM (by way of USB Defender) only looks for and takes action against devices that have the "Mass Storage" descriptor, like this one:

    2017-06-14 07_49_03-USB Mass Storage Device Properties.png

    I also have a Western Digital MyBook plugged into the same system, and it does not have a Mass Storage tag.  It shows up as a disk drive, along with my RAID and NVMe controllers.  Obviously, having LEM disable or detach disk drives would be a bit of a problem.  As wolram​ said, these tags are assigned (sometimes arbitrarily) by vendors, so not much we can do about that.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.