This document discusses the features and functionality of the USB Device Control section of the Cloud version of Symantec Endpoint Protection Small Business Edition (SEP SBE).
About USB Device Control
USB Device Control enables administrators to prevent malicious code injection and intellectual property theft by controlling employee use of USB removable storage devices. USB mice and keyboards are unaffected by USB Device Control as they are not recognized or classified as storage devices by Windows. This control provides the functionality to either allow or block these devices by policy at the endpoint.
Allow: When policy allows USB devices, all computers in the groups to which the policy applies have complete access to USB storage devices. Allow is the default setting. Read-only access for USB storage devices can also be configured.
Block: When policy blocks USB devices, access to USB storage devices is disabled and notifications of these blocks may be enabled on the endpoint. These notifications appear as small pop-up messages in the bottom, right-side corner of the endpoint computer. Notifications are off by default.
Example Notification Message:
USB Device Control
Device description: USB Mass Storage
The USB device was blocked by policy and the event has been logged. Contact your administrator for assistance.
All blocking events are logged for review and reporting. The blocking events are recorded in a number of locations:
A summary of events listed in the Endpoint Protection Home page widget
A summary of events listed Protection Summary section of the Computer Profile for the particular machine
As individual events recorded on Computer Profile History tab
In the USB Device Control portion of the Endpoint Protection Security Overview report
Configuring Device Control
Endpoint Protection policies enable creation of suitable controls over USB storage devices based on groups. Device Control affects devices classified as "USB Storage Devices" by Windows Device Manager. USB Device Control configuration can be included as part of either a new policy, or an existing customized Endpoint Protection policy.
To configure USB device control in an existing Endpoint Protection policy:
Apply the desired USB device control settings once the new policy has been created (step 6), use the drop-down to allow or block access to USB devices
Use the check-boxes to enable or disable read-write access to USB storage devices and notifications of USB blocking
Make sure that all groups which should apply this policy are checked in the "Groups" section at the bottom of the page
Click "Save and Apply"
Bypassing USB device control:
It is possible to set a password to temporarily bypass USB device control in situations when an administrator needs to access USB devices on a machine but does not want the user to have open access regularly, to do so: