1 Reply Latest reply on Oct 19, 2012 3:47 PM by nicole pauls

    Prevent USB File Transfers

    routethis

      Using USB Defender, I would like to be able to Eject/Disable a USB Thumb Drive, any USB Thumb drive (i.e. we whitelist ALL USB Thumb Drives) once a User attempts to copy either:

       

      A) Certain File (i.e. by File Name or Extension Type)

      B) File Size or total File Size (i.e. a User tries to copy over X MBytes). So for instance, if a user only copies 10MBytes to the USB Drive that is acceptable, but if one attempts to copy anything over 100MBytes, it triggers the Rule

       

      Has anybody written a Rule to do this or is it even possible?

       

      Any help would be appreciated.

        • Re: Prevent USB File Transfers
          nicole pauls

          You can do A for sure. Your rule would look something like (using the "File Audit Alerts" alert group):

           

          File Audit Alerts.FileName = <name or extension - e.g. *.exe or *importantstuff.txt>

          AND

          File Audit Alerts.ProviderSID = *USB-Defender*

           

          If you check out the USB File Auditing filter in your Console you can see what the file audit events look like. You can also add criteria like the username or system type (maybe you allow it on servers or from admins but not on workstations or regular users). You might also want to refine it to just the type of File Audit events you're interested in, like only copy or move or remove events and not read events.

           

          For B, I think you'd have to go by quantity of files, we're not tracking the actual sizes today. You could do something like:

           

          File Audit Alerts.ProviderSID = *USB-Defender*

          Threshold: 10 in 1 minute

          Same SourceAccount

          Same SourceMachine

           

          That would monitor for the same user on the same machine accessing more than 10 files in 1 minute. You might want to refine it just to copy or move or remove events so you don't just get the "read" events.

           

          There's a default rule that does the excessive file copies thing, check out Build > Rules, navigate to NATO5 Rules > Agent-Based > USB Defender or search for "USB".