Submit a ticketCall us

Bridging the ITSM Divide
Integrated help desk and remote support software for faster resolution

Join us on Wednesday, November 29, 2017 at 11 a.m. CT, as we discuss the benefits of effectively integrating your help desk software with remote support solutions to help increase the efficiency of IT administration, improve communication, and decrease mean time to resolution (MTTR) for IT issues of all sizes. This directly impacts end-user satisfaction and your business’ bottom line. Register Now.

Home > Success Center > Log & Event Manager (LEM) > USB Defender Local Policy Advanced Operation

USB Defender Local Policy Advanced Operation

Table of contents

Updated November 2, 2017

Overview

This article describes additional functionality and options available in the configuration of the USB Defender Local Policy Connector white list file. Beyond adding only the username or the PID of the USB device, there are other fields contained within the Windows Application event log data that can be included in the UDLP white list file.

 

This article provides advanced information for additional features. The steps for Configuring UDLP initially are covered here.

Environment

  • LEM, all versions

  • Agents with USB Defender Installed and the USB Defender Local Policy Connector enabled

Detail

USB Defender writes events to the Windows Application Log for parsing via the Windows Application connector and use with the UDLP connector.  Within the Application log event there is additional detail that is not normalized and sent to the LEM, but can be used with the UDLP white list file to create more complex comparisons and a more restricted policy.

 

First, an example of the event:

 

USB Device Found at Service Start
Device ID: USB\VID_08E6&PID_3437\5&2EED174E&0&2
Serial number: 5&2EED174E&0&2
Device name: \\?\usb#vid_08e6&pid_3437#5&2eed174e&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Device path: \\?\usb#vid_08e6&pid_3437#5&2eed174e&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Friendly name:
Description: USB Smart Card Reader
Manufacturer: Gemplus
Device setup class: SmartCardReader
Setup class guid: {50DD5230-BA8A-11D1-BF5D-0000F805F530}
Capabilities:
    Lock supported: No
    Eject supported: No
    Removable: Yes
    Dock device: No
    Unique ID: No
   Silent install: No
    Raw device ok: No
    Surprise removal ok: Yes
    Hardware disabled: No
    Nondynamic: No
Configurations:
    Disabled: No
    Removed: No
    Manual install: No
    Ignore boot: No
    Net boot: No
    Reinstall: No
    Failed install: No
    Cannot stop a child: No
    Can remove ROM: No
    No remove at exit: No
    Finish install: No
    Needs forced configuration: No
    Partial log configuration: No
Driver software key: {50DD5230-BA8A-11D1-BF5D-0000F805F530}\0000
Service name: GTwinUSB
Device address: 2
Bus number: 0
Bus type guid: {9D7DEBBC-C85D-11D1-9EB4-006008C3A19A}
Device type:
Enumerator name: USB
Legacy bus type: 15
Hardware location: USB SmartCard Reader
Physical device object name: \Device\USBPDO-5
Security descriptor:
Hardware IDs::
    USB\Vid_08e6&Pid_3437&Rev_0100
    USB\Vid_08e6&Pid_3437
Compatible IDs:
    USB\Class_0b&SubClass_00&Prot_00
    USB\Class_0b&SubClass_00
    USB\Class_0b

 

Beyond using simply the username or Device ID (PID) as covered in the Configuration article, additional fields from the event can be used. For example:

 

  • Device ID
  • Serial number
  • Domain
  • User
  • Computer
  • Device setup class

 

UDLP also supports comments. Blank lines and comments are ignored by the tool. Comment lines can be defined by beginning with two forward slashes. Additionally, the USB Defender Local Policy supports operators for more restrictive lists. Each individual line is considered an OR statement. Each line can be turned into a complex line supporting AND statements with the usage of |&| with examples below:

 

// Specify allowed usb flash drive and only then when logged in user is Joe Bigshot

Serial number: 5&2EED174E&0&2|&|User: jbigshot

// All Smart Card Readers are allowed:

Device setup class: SmartCardReader

// Allow all devices when this particular user is logged onto this particular computer

domain: MYNETWORK|&|user: ksmith|&|computer: workstation12

 

USB-Defender automatically detects changes to the White List file and reloads it when the manager distributes an updated file to the agent. The USB-Defender service does not need to be restarted.

 

Note:  The file is sensitive to spacing. Include the property name, colon (:), a space, and then the property value as outlined in the examples above.

 

 

 

Last modified

Tags

Classifications

Public