Submit a ticketCall us

Systems Monitoring for Dummies
Our new eBook will teach you the fundamentals and help you create monitors and alerts that are effective, meaningful, and actionable. Monitoring is more than a checkbox on your to-do list. This free eBook will give you practical advice to help you succeed in all aspects of monitoring – discovery, alerting, remediation, and troubleshooting. Don’t miss out on this indispensable resource for newbies, experienced IT pros, and everyone in between. Register Now.

Home > Success Center > Log & Event Manager (LEM) > Configure the USB Defender Local Policy Connector

Configure the USB Defender Local Policy Connector

Table of contents
Created by Interspire Import, last modified by Justin Rouviere on Aug 11, 2017

Views: 306 Votes: 0 Revisions: 11

Overview

This document describes how to create and configure the USB Defender Local Policy connector on an agent.

The USB Defender Local Policy connector allows an agent to enforce restrictions on USB devices even while the agent is not connected to the manager. Rather than using rules when disconnected, the connector uses a  list of permitted users or devices. To do this, the agent compares the fields in all USB device "Attached" events to a locally stored whitelist of users or devices. If none of the fields match an entry on the list, the agent detaches the device.

When the agent is connected to the manager via the network, the manager rule also applies. So any devices listed in the local whitelist must also be in the User Defined Group for authorized devices or the rule takes effect and the device detaches even though it was  allowed by the whitelist in the USB Defender local policy. When the agent is connected, both USB Defender Local Policy and the LEM rule are active.

Environment

All LEM versions

Steps

To configure the USB Defender Local Policy connector:

  1. Create a text file with one entry per line.  This file serves as the "local policy."  Each entry can be a username or a USB device ID (from the ExtraneousInfo field of an "Attached" alert).

    Note:  Wildcards (*) are implied in the list.  If trying to add an entry without the full serial number of the device just add up to the PID of the device.  E.g: USB\VID_0000&PID_0000\ instead of USB\VID_0000&PID_0000\*.

    For advanced configuration options, consult the USB Defender Local Policy Advanced Operation page.
     
  2. In the LEM console, click Nodes from the Manage menu.
  3. Click the gear icon next to the node to be configured and select Connectors.
  4. Enter USB defender in the Refine Results window.
  5. In the Nodes window, select the USB Defender Local Policy connector.  Click its gear icon and click New.
  6. Click the … button next to the Policy field to browse to the text file you created above and upload your list to the connector.
  7. Click the Save button in the UDLP details pane to complete the setup.
  8. When the new connector appears in the Connectors list, click the gear next to it and click Start.

Note: The authorized devices in the local whitelist must also be in the UDG for manager’s Detach Unauthorized USB rule or the rule on the manager enforces detachment when the laptop is connected to the network.  In reverse, if you are using a blacklist and the device is in the USB Local Policy and not in the User Defined Group of the rule, the device still detaches.

Having a device or user in one whitelist or blacklist and not in the other is not recommended and results in inconsistent results.

 

 

Last modified

Tags

Classifications

Public