Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Configure the USB Defender Local Policy Connector

Configure the USB Defender Local Policy Connector

Table of contents
Created by Interspire Import, last modified by Justin Rouviere on Aug 11, 2017

Views: 2,337 Votes: 0 Revisions: 11


This document describes how to create and configure the USB Defender Local Policy connector on an agent.

The USB Defender Local Policy connector allows an agent to enforce restrictions on USB devices even while the agent is not connected to the manager. Rather than using rules when disconnected, the connector uses a  list of permitted users or devices. To do this, the agent compares the fields in all USB device "Attached" events to a locally stored whitelist of users or devices. If none of the fields match an entry on the list, the agent detaches the device.

When the agent is connected to the manager via the network, the manager rule also applies. So any devices listed in the local whitelist must also be in the User Defined Group for authorized devices or the rule takes effect and the device detaches even though it was  allowed by the whitelist in the USB Defender local policy. When the agent is connected, both USB Defender Local Policy and the LEM rule are active.


All LEM versions


To configure the USB Defender Local Policy connector:

  1. Create a text file with one entry per line.  This file serves as the "local policy."  Each entry can be a username or a USB device ID (from the ExtraneousInfo field of an "Attached" alert).

    Note:  Wildcards (*) are implied in the list.  If trying to add an entry without the full serial number of the device just add up to the PID of the device.  E.g: USB\VID_0000&PID_0000\ instead of USB\VID_0000&PID_0000\*.

    For advanced configuration options, consult the USB Defender Local Policy Advanced Operation page.
  2. In the LEM console, click Nodes from the Manage menu.
  3. Click the gear icon next to the node to be configured and select Connectors.
  4. Enter USB defender in the Refine Results window.
  5. In the Nodes window, select the USB Defender Local Policy connector.  Click its gear icon and click New.
  6. Click the … button next to the Policy field to browse to the text file you created above and upload your list to the connector.
  7. Click the Save button in the UDLP details pane to complete the setup.
  8. When the new connector appears in the Connectors list, click the gear next to it and click Start.

Note: The authorized devices in the local whitelist must also be in the UDG for manager’s Detach Unauthorized USB rule or the rule on the manager enforces detachment when the laptop is connected to the network.  In reverse, if you are using a blacklist and the device is in the USB Local Policy and not in the User Defined Group of the rule, the device still detaches.

Having a device or user in one whitelist or blacklist and not in the other is not recommended and results in inconsistent results.



Last modified