4 Replies Latest reply on Jun 14, 2017 10:21 AM by mattbaer

    LEM external powered USB HD


      We have a white list for approved devices. It works great for only allowing the approved Blu-Ray/DVD/CD burners, thumb drives, and USB floppy drives. If it is not on the appoved list the device is ejected, a message pops up "This USB device is not approved" and an email is sent to security. But if a external powered USB HD is plug in to the system LEM does not block it. The drive works. Can copy files to and from. Does LEM not treat external powered USB HD the same as thumb or burners? One of the drives that works with out being on the approved list is a Lacie Rugged Mobile Storage. i removed all devices from the approved list. Just to make sure I didn't have a typo that might allow the device. Doing this stopped the approved devices from working with the "This USB device is not approved" message. This verified that LEM is working with the exception of external powered USB HD.


      Thanks for any help.

        • Re: LEM external powered USB HD

          I would look at your Windows Application Event log for USB Defender events.  USB Defender will log to the Windows Application Event log everything that is told is seen by the operating system.  Inside that message is a ton of details that may lead you down the path as to why it is still being accepted.  Perhaps it is coming up as a HID or something else.  Unfortunately what is reported by Windows about a device is completely dependent on what the manufacture says the device is, so they could say a mass storage device is a HID (like a mouse).

          • Re: LEM external powered USB HD

            Is shows up as a Rugged Raid under HD also shows up as a Portable Device under device manager. Under Application event log I see an event source TriGeo UBS-Defender. USB Device Attached Device ID, Serial number, Device name \\ pid_number, Description: USB Mass Storage Device.


            That is showing USB-Defender is seeing it and allowing it to work. right?

              • Re: LEM external powered USB HD

                I think there are two critical things to understand about USB Defender:


                The first is, USB Defender doesn't allow or disallow devices to work on a system in and of itself.  All USB Defender does is improve the native Windows logging around USB devices, and add those logs (like the one you saw) to the Event logs so the LEM Agent can read the logs and send them to the LEM appliance for correlation.


                Second, USB Defender notices and creates logs for ALL USB Devices.  Keyboards, drives, etc.


                LEM (by way of USB Defender) only looks for and takes action against devices that have the "Mass Storage" descriptor, like this one:


                2017-06-14 07_49_03-USB Mass Storage Device Properties.png


                I also have a Western Digital MyBook plugged into the same system, and it does not have a Mass Storage tag.  It shows up as a disk drive, along with my RAID and NVMe controllers.  Obviously, having LEM disable or detach disk drives would be a bit of a problem.  As wolram said, these tags are assigned (sometimes arbitrarily) by vendors, so not much we can do about that.

                2 of 2 people found this helpful