1 Reply Latest reply on Oct 6, 2014 10:20 AM by curtisi

    Whitelist specific USB Device model - LEM

    lufffunk

      We have a specific model of USB device that we are trying to whitelist for one of our networks. We have used the pre-defined rule and added the ExtraneousInfo which is USB\VID.....etc and confirms it works on that machine. However when the same device is plugged into another machine it picks up different info and is blocked.

       

      How do we allow this model to be whitelisted for all devices? I don't mind having to add all the USB devices into the whitelist, but it's not going to help if they can only be used on the machine they were connected into to pick up the ExtraneousInfo?

       

      Help please!

       

      Thanks

        • Re: Whitelist specific USB Device model - LEM
          curtisi

          So here's some samples from my lab:

           

          Event NameEventInfoInsertionIPManagerDetectionIPInsertionTimeDetectionTimeProviderSIDExtraneousInfo
          SystemStatusDetached "Port_#0001.Hub_#0001" (SAMSUNG Mobile USB Composite Device )CINGRAM-LT.tul.solarwinds.netcing-lehi-managerCINGRAM-LT.tul.solarwinds.netMon Oct 6 09:10:34 GMT-0600 2014Mon Oct 6 09:10:34 GMT-0600 2014USB-Defender 32004USB\VID_04E8&PID_685E\2339BE75
          SystemStatusAttached "Port_#0001.Hub_#0001" (SAMSUNG Mobile USB Composite Device )CINGRAM-LT.tul.solarwinds.netcing-lehi-managerCINGRAM-LT.tul.solarwinds.netMon Oct 6 09:10:34 GMT-0600 2014Mon Oct 6 09:10:34 GMT-0600 2014USB-Defender 32003USB\VID_04E8&PID_6860\2339BE75
          SystemStatusAttached "Port_#0001.Hub_#0001" (SAMSUNG Mobile USB Composite Device )CINGRAM-LT.tul.solarwinds.netcing-lehi-managerCINGRAM-LT.tul.solarwinds.netMon Oct 6 09:10:04 GMT-0600 2014Mon Oct 6 09:10:03 GMT-0600 2014USB-Defender 32003USB\VID_04E8&PID_685E\2339BE75
          SystemStatusAttached "Port_#0002.Hub_#0005" (Logitech USB Camera (HD Webcam C270))CINGRAM-LT.tul.solarwinds.netcing-lehi-managerCINGRAM-LT.tul.solarwinds.netMon Oct 6 09:09:18 GMT-0600 2014Mon Oct 6 09:09:18 GMT-0600 2014USB-Defender 32009

          USB\VID_046D&PID_0825\05D0CF60

           

          This is me attaching my cell-phone and a web-cam to a machine.  You'll notice that the Extraneous Info is the unique IDs for the device.  Let's look at those:

           

          USB\VID_04E8&PID_685E\2339BE75


          USB -  Pretty obvious, right?  It's a USB device

          VID_04E8 - This is a vendor ID for Samsung.  Samsung may have more than one, but for this type of device, this is it.

          PID_685E - This is a product ID for the Galaxy Note 3

          2339BE75 - This is the unique ID (like a MAC) for MY Galaxy Note 3


          So applying this to a white-list:


           

          If your whitelist has this......you're allowing this
          USB\VID_04E8&PID_685E\2339BE75My particular Samsung Galaxy Note 3
          USB\VID_04E8&PID_685E\*Any Samsung Galaxy Note 3
          USB\VID_04E8&*Any Samsung device
          USB\*Why do you even have USB defender?