• State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 22 subscribers
  • Views 279 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Prevent USB File Transfers

routethis

Using USB Defender, I would like to be able to Eject/Disable a USB Thumb Drive, any USB Thumb drive (i.e. we whitelist ALL USB Thumb Drives) once a User attempts to copy either:

A) Certain File (i.e. by File Name or Extension Type)

B) File Size or total File Size (i.e. a User tries to copy over X MBytes). So for instance, if a user only copies 10MBytes to the USB Drive that is acceptable, but if one attempts to copy anything over 100MBytes, it triggers the Rule

Has anybody written a Rule to do this or is it even possible?

Any help would be appreciated.

  • FormerMember
    0 FormerMember

    You can do A for sure. Your rule would look something like (using the "File Audit Alerts" alert group):

    File Audit Alerts.FileName = <name or extension - e.g. *.exe or *importantstuff.txt>

    AND

    File Audit Alerts.ProviderSID = *USB-Defender*

    If you check out the USB File Auditing filter in your Console you can see what the file audit events look like. You can also add criteria like the username or system type (maybe you allow it on servers or from admins but not on workstations or regular users). You might also want to refine it to just the type of File Audit events you're interested in, like only copy or move or remove events and not read events.

    For B, I think you'd have to go by quantity of files, we're not tracking the actual sizes today. You could do something like:

    File Audit Alerts.ProviderSID = *USB-Defender*

    Threshold: 10 in 1 minute

    Same SourceAccount

    Same SourceMachine

    That would monitor for the same user on the same machine accessing more than 10 files in 1 minute. You might want to refine it just to copy or move or remove events so you don't just get the "read" events.

    There's a default rule that does the excessive file copies thing, check out Build > Rules, navigate to NATO5 Rules > Agent-Based > USB Defender or search for "USB".

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.