Deny USB Pen Drives

Deny USB Pen Drives (Full Version)

All Forums >> [Network Security] >> GFI EndPointSecurity

Message

cmddotexe -> Deny USB Pen Drives (13.May2008 12:13:30 PM)
Hi I've just started evaluating EndPointSecurity4 for our network, and have a couple of questions. First of all, I'm trying to allow users to use USB Printers etc, but deny access to all USB pen drives other than those we specifically whitelist. Initially, I set up a policy to give domain users Access/Read permissions on Printers. That didn't work by itself, so I've also given Access/Read to USB ports, but left Storage Devices unconfigured. That allowed domain users to use USB printers, but also gives full access to USB pens. I then tried explicitly setting a policy for domain users which blocked access to Storage Devices, with no effect. Is there a simple way to block access to all USB pens while still allowing USB printers/keyboards/mice etc, short of having a default block on USB ports and whitelisting all of the USB printers/keyboards etc that we want to allow (we have a lot of them on site!)? The USB pens I've tried have been SanDisk Cruzer Micro USB (both U3 and non-U3) and show up in Device Manager under both the Disk Drives and Storage Volumes sections. My other question is regarding Windows safe mode. Is it normal for a user to be able to bypass all restrictions just by booting into safe mode? I'm assuming this is just due to the GFI EP service not getting started. Is there a way to ensure the service starts up even in safe mode? Thanks Graham.

imatone -> RE: Deny USB Pen Drives (13.May2008 1:15:57 PM)
I'll let the GFi experts answer your SanDisk Cruzer U3 & non-U3 question but I've tried safe mode and the answer is nope. GFi endpointagntservice.exe still starts up in Safe mode including Directory Recovery mode. One way I know and I'm sure many of us knew or would do is to boot up from a bootable W2K or WinXP CD or recovery disk and kicks into recovery console. That way you can bypass EPS agent.

cmddotexe -> RE: Deny USB Pen Drives (14.May2008 5:40:48 AM)
Thanks for the reply - I've just double checked this, and the service did actually start up in safe mode (not sure why I thought it didn't yesterday!), however, the policies don't appear to get enforced. To test this, I've logged in as a local user account and plugged in a pen drive - access is denied. I then rebooted the PC into safe mode, logged in as the same user and plugged in the same pen drive - access is permitted. I know there are other ways to bypass the EPS agent, I was just curious if it was supposed to work while in safe mode.

DrewE -> RE: Deny USB Pen Drives (14.May2008 9:23:45 AM)
Our quality metrics team is currently reviewing this issue.

imatone -> RE: Deny USB Pen Drives (14.May2008 11:18:25 AM)
Will there be a prize awarded to the individual who could uninstall EPS Agent manually? ;-)

akyr -> RE: Deny USB Pen Drives (19.May2008 10:39:53 AM)
Worse still, policies are not working for "safe mode with networking". Consequently, bypass protection can ALL users, not just administrators in "safe mode".

cmddotexe -> RE: Deny USB Pen Drives (21.May2008 7:07:51 AM)
Has there been any progress with this issue? Thanks.

hilbert -> RE: Deny USB Pen Drives (21.May2008 8:23:20 AM)
We required a support to fix this problem, answer was that it depends on Windows OS, which in safe mode doesn't load drivers, EPS included. In other words...no solution was found and users can upload/download files into USB sticks without been blocked. Any suggestions ? Thnx

akyr -> RE: Deny USB Pen Drives (17.Jun.2008 2:12:31 AM)
Что слышно с решением данной проблемы? [&o]

hilbert -> RE: Deny USB Pen Drives (22.Jun.2008 5:58:40 PM)
Good News. Yes, It has. Support has released us a patch to addressed this and other issues raised during the time.

akyr -> RE: Deny USB Pen Drives (31.Jul.2008 8:45:46 AM)
Excuse me. But WHERE I can get this patch. thanx

DrewE -> RE: Deny USB Pen Drives (31.Jul.2008 9:16:01 AM)
This patch is currently still in a 'pre-release' status. Although many of our users have tested the patch, and it works successfully, it is important that our quality metrics team know each time the patch is issued to a client. The only way to obtain this patch is to open a support ticket at http://support.gfi.com and request the latest 'End Point Security Agent Patch.' Please be very clear with the symptoms you are seeing in your network when requesting the patch. Upon review a .zip file will be emailed to you with the latest patch. Again, this patch will be released with the next build of GFI EndPointSecurity.

akyr -> RE: Deny USB Pen Drives (31.Jul.2008 9:52:07 AM)
Thank you!

Page: [1]