This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Whitelist specific USB Device model - LEM

We have a specific model of USB device that we are trying to whitelist for one of our networks. We have used the pre-defined rule and added the ExtraneousInfo which is USB\VID.....etc and confirms it works on that machine. However when the same device is plugged into another machine it picks up different info and is blocked.

How do we allow this model to be whitelisted for all devices? I don't mind having to add all the USB devices into the whitelist, but it's not going to help if they can only be used on the machine they were connected into to pick up the ExtraneousInfo?

Help please!

Thanks

  • So here's some samples from my lab:

    Event NameEventInfoInsertionIPManagerDetectionIPInsertionTimeDetectionTimeProviderSIDExtraneousInfo
    SystemStatusDetached "Port_#0001.Hub_#0001" (SAMSUNG Mobile USB Composite Device )CINGRAM-LT.tul.solarwinds.netcing-lehi-managerCINGRAM-LT.tul.solarwinds.netMon Oct 6 09:10:34 GMT-0600 2014Mon Oct 6 09:10:34 GMT-0600 2014USB-Defender 32004USB\VID_04E8&PID_685E\2339BE75
    SystemStatusAttached "Port_#0001.Hub_#0001" (SAMSUNG Mobile USB Composite Device )CINGRAM-LT.tul.solarwinds.netcing-lehi-managerCINGRAM-LT.tul.solarwinds.netMon Oct 6 09:10:34 GMT-0600 2014Mon Oct 6 09:10:34 GMT-0600 2014USB-Defender 32003USB\VID_04E8&PID_6860\2339BE75
    SystemStatusAttached "Port_#0001.Hub_#0001" (SAMSUNG Mobile USB Composite Device )CINGRAM-LT.tul.solarwinds.netcing-lehi-managerCINGRAM-LT.tul.solarwinds.netMon Oct 6 09:10:04 GMT-0600 2014Mon Oct 6 09:10:03 GMT-0600 2014USB-Defender 32003USB\VID_04E8&PID_685E\2339BE75
    SystemStatusAttached "Port_#0002.Hub_#0005" (Logitech USB Camera (HD Webcam C270))CINGRAM-LT.tul.solarwinds.netcing-lehi-managerCINGRAM-LT.tul.solarwinds.netMon Oct 6 09:09:18 GMT-0600 2014Mon Oct 6 09:09:18 GMT-0600 2014USB-Defender 32009

    USB\VID_046D&PID_0825\05D0CF60

    This is me attaching my cell-phone and a web-cam to a machine.  You'll notice that the Extraneous Info is the unique IDs for the device.  Let's look at those:

    USB\VID_04E8&PID_685E\2339BE75


    USB -  Pretty obvious, right?  It's a USB device

    VID_04E8 - This is a vendor ID for Samsung.  Samsung may have more than one, but for this type of device, this is it.

    PID_685E - This is a product ID for the Galaxy Note 3

    2339BE75 - This is the unique ID (like a MAC) for MY Galaxy Note 3


    So applying this to a white-list:


    If your whitelist has this......you're allowing this
    USB\VID_04E8&PID_685E\2339BE75My particular Samsung Galaxy Note 3
    USB\VID_04E8&PID_685E\*Any Samsung Galaxy Note 3
    USB\VID_04E8&*Any Samsung device
    USB\*Why do you even have USB defender?