Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Additional LEM Configuration and Troubleshooting Information > Configuring the USB Defender Local Policy Connector on an Agent

Configuring the USB Defender Local Policy Connector on an Agent

Table of contents
No headers
Created by Caroline Juszczak, last modified by Steve.Hawkins on Sep 13, 2016

Views: 42 Votes: 1 Revisions: 10

The USB Defender Local Policy connector enables an agent to enforce restrictions on USB devices, even when the agent is not connected to the manager. Instead of using rules when disconnected, the connector uses a list of permitted users or devices.


The agent compares the fields in all USB device attached events to a locally stored white list of users or devices. If none of the fields match an entry on the list, the agent detaches the device.

When the agent is connected to the manager through the network, the manager rule also applies. Any devices listed in the local white list must be in the User Defined Group for authorized devices. Otherwise, the rule takes effect and the device detaches even though it was allowed by the white list in the USB Defender local policy.

When the agent is connected, the USB Defender Local Policy and the LEM rule are active.

  1. Create a text file with one entry per line.

    This file serves as the local policy. Each entry can be a user name or a USB device ID, from the Extraneous Info field of an attached alert.

    Wildcards are implied in the list. USB Defender will match partial strings by default. Adding a wildcard (*) to the list will be matched as a string and will not match the intended data

  2. In the LEM console, click Manage > Nodes.
  3. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/0E0/Button-Gear_16x13.png next to the target node and select Connectors.
  4. Enter USB defender in the Refine Results window.
  5. In the Connectors grid, locate the USB Defender Local Policy connector.
  6. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/0E0/Button-Gear_16x13.png next to the connector and select New.
  7. Click the ellipsis in the UDLP pane and locate the text file you created above.
  8. Upload your list to the connector, and then click Save.
  9. When the new connector appears in the Connectors list, click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/0E0/Button-Gear_14x11.png and select Start.

The authorized devices in the local white list must also be in the UDG for manager Detach Unauthorized USB rule or the rule on the manager enforces detachment when the laptop is connected to the network. In reverse, if you are using a blacklist and the device is in the USB Local Policy and not in the User Defined Group of the rule, the device still detaches.

Having a device or user in one white list or black list and not in the other is not recommended and yields inconsistent results.


Last modified
14:53, 13 Sep 2016