Submit a ticketCall us

WebinarUpcoming Webinar: How Help Desk and Remote Support Pays for Itself

Learn how help desk software can simplify ticketing management, allow you to track hardware and software assets, and accelerate the speed of IT support and service delivery. Gain insights on how remote support tools allow your IT team to maximize their efficiency and ticket resolution by expediting desktop troubleshooting, ultimately helping keep end-users happy and productive.

Register here.

Home > Success Center > Log & Event Manager (LEM) > USB Defender Local Policy Advanced Operation

USB Defender Local Policy Advanced Operation

Table of contents

Updated November 2, 2017

Overview

This article describes additional functionality and options available in the configuration of the USB Defender Local Policy Connector white list file. Beyond adding only the username or the PID of the USB device, there are other fields contained within the Windows Application event log data that can be included in the UDLP white list file.

 

This article provides advanced information for additional features. The steps for Configuring UDLP initially are covered here.

Environment

  • LEM, all versions

  • Agents with USB Defender Installed and the USB Defender Local Policy Connector enabled

Detail

USB Defender writes events to the Windows Application Log for parsing via the Windows Application connector and use with the UDLP connector.  Within the Application log event there is additional detail that is not normalized and sent to the LEM, but can be used with the UDLP white list file to create more complex comparisons and a more restricted policy.

 

First, an example of the event:

 

USB Device Found at Service Start
Device ID: USB\VID_08E6&PID_3437\5&2EED174E&0&2
Serial number: 5&2EED174E&0&2
Device name: \\?\usb#vid_08e6&pid_3437#5&2eed174e&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Device path: \\?\usb#vid_08e6&pid_3437#5&2eed174e&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Friendly name:
Description: USB Smart Card Reader
Manufacturer: Gemplus
Device setup class: SmartCardReader
Setup class guid: {50DD5230-BA8A-11D1-BF5D-0000F805F530}
Capabilities:
    Lock supported: No
    Eject supported: No
    Removable: Yes
    Dock device: No
    Unique ID: No
   Silent install: No
    Raw device ok: No
    Surprise removal ok: Yes
    Hardware disabled: No
    Nondynamic: No
Configurations:
    Disabled: No
    Removed: No
    Manual install: No
    Ignore boot: No
    Net boot: No
    Reinstall: No
    Failed install: No
    Cannot stop a child: No
    Can remove ROM: No
    No remove at exit: No
    Finish install: No
    Needs forced configuration: No
    Partial log configuration: No
Driver software key: {50DD5230-BA8A-11D1-BF5D-0000F805F530}\0000
Service name: GTwinUSB
Device address: 2
Bus number: 0
Bus type guid: {9D7DEBBC-C85D-11D1-9EB4-006008C3A19A}
Device type:
Enumerator name: USB
Legacy bus type: 15
Hardware location: USB SmartCard Reader
Physical device object name: \Device\USBPDO-5
Security descriptor:
Hardware IDs::
    USB\Vid_08e6&Pid_3437&Rev_0100
    USB\Vid_08e6&Pid_3437
Compatible IDs:
    USB\Class_0b&SubClass_00&Prot_00
    USB\Class_0b&SubClass_00
    USB\Class_0b

 

Beyond using simply the username or Device ID (PID) as covered in the Configuration article, additional fields from the event can be used. For example:

 

  • Device ID
  • Serial number
  • Domain
  • User
  • Computer
  • Device setup class

 

UDLP also supports comments. Blank lines and comments are ignored by the tool. Comment lines can be defined by beginning with two forward slashes. Additionally, the USB Defender Local Policy supports operators for more restrictive lists. Each individual line is considered an OR statement. Each line can be turned into a complex line supporting AND statements with the usage of |&| with examples below:

 

// Specify allowed usb flash drive and only then when logged in user is Joe Bigshot

Serial number: 5&2EED174E&0&2|&|User: jbigshot

// All Smart Card Readers are allowed:

Device setup class: SmartCardReader

// Allow all devices when this particular user is logged onto this particular computer

domain: MYNETWORK|&|user: ksmith|&|computer: workstation12

 

USB-Defender automatically detects changes to the White List file and reloads it when the manager distributes an updated file to the agent. The USB-Defender service does not need to be restarted.

 

Note:  The file is sensitive to spacing. Include the property name, colon (:), a space, and then the property value as outlined in the examples above.

 

 

 

Last modified

Tags

Classifications

Public