Device Control Feature Guide

Version 2.0 - Last updated: 08/15/2019

Contents:

Overview
Before You Begin
Requirements
Role requirements
System Requirements
Limitations
USB device policies
Creating USB Device Policies
1. Create a Policy
2. Set Your Policy's Permissions
3. Set Exceptions to Your Policy
4. Assign Your Policy to Groups
Getting Info About USB Devices
Using Activity > USB Device Control
Using Investigate > USB Device Control
Troubleshooting
A USB Device Isn't Handled Correctly
Blocking USB Devices with Multiple Classes
Vendor Name or Product Name are Incorrect
Overview

With Device Control, you can create USB device policies to gain visibility and control over USB devices in your environment.

Configure USB device policies to control which USB devices can connect to your Windows hosts

Review Device Control dashboards to see USB device connections, USB device policy violations, and actions taken automatically by your policies

Fine-tune your policies with exceptions as needed

Device Control is an add-on module for Falcon Insight, Falcon Prevent, or Falcon Pro subscriptions.

Before You Begin

You should be familiar with these important concepts:

Falcon’s USB device events: instances of a USB device attempting to connect to a host, either by being connected to the host or by already being connected when the host boots

Falcon's host groups, policies, and precedence

USB protocol standards for device classes

Requirements

Role requirements

Users with these roles can view Device Control info: 

Falcon Security Lead

Falcon Investigator

Falcon Analyst

Users with these roles can edit USB device policies and exceptions:

Falcon Administrator

Falcon Endpoint Manager

System Requirements

Only Windows hosts support Device Control.

Each host must be rebooted once after installation in order for Device Control to collect USB events.

You must have a Falcon Device Control module, available as an add-on for these Falcon subscriptions:

Falcon Insight

Falcon Prevent

Falcon Pro

Limitations

We're aware of these scenarios in which Device Control may not function as expected.

Virtualized environments such as Hyper-V, Citrix, VMWare, or others: Hypervisor hosts may experience these issues (virtualized guest OSes are unaffected):

Using sensors earlier than version 4.16 on the hypervisor host sometimes results in an OS stop error ("BSOD").

Virtualized environments often use a custom USB stack.

Device Control may work in virtualized stacks, but it is not guaranteed nor recommended.

Device Control may fail to work on these hosts, or could cause BSODs for client/host.

Vodafone network dongles or Elecom numpad devices

Device Control does not work on these devices.

USB forwarding technologies such as RemoteFx, RDP: To block devices, you must apply USB device policies on the server, not the client.

Custom/third party USB device stacks or UAS storage drivers such as ASUS USB 3.0 Boost:

USB devices initialized on third party USB stacks will not be blocked by Device Control.

On Windows 7 hosts, Device Control can't block USB 3.0 drives.

Windows to Go: Boot disks can't be blocked by Device Control.

Understanding USB Device Control

USB Device Control helps you stay aware of the USB devices being connected to hosts in your environment. Each time a USB device attempts to connect to a host, the Falcon sensor on that host logs an event
that contains information about the connection attempt:

USB device info: its serial number, device class, vendor description, and more

Host info: its agent ID and hostname

Policy info: action taken in response to the connection attempt (allowed or blocked), the criteria used to match the USB device to a policy setting

Auditing info: the time of the connection attempt 

USB device policies

Configure USB device policies, then assign these policies to host groups to control whether USB devices can connect. USB device policies are like prevention policies: they’re collections of settings for your
hosts, and you assign them to host groups. If you have multiple overlapping USB device policies for a given host, it applies the policy with the highest precedence.

USB Device policies have two policy modes:

Policies in Monitor and Enforce mode take action on USB devices, based on your policy settings: blocking or allowing the USB device connection.

Policies in Monitor only mode record the USB device connection and the action defined by your policy setting, but they don’t enforce the setting on assigned hosts. This mode is intended to help you test
your policy behavior without disrupting users in your environment.

The settings in a USB device policy determine whether a USB device of a given device class - or any class - is allowed to connect to a host. Within each class, you can set exceptions: more specific
configurations that override the general policy setting.

After you’ve configured your USB device policies and assigned them to hosts, review USB device events in the Falcon console. Then, use that information to fine-tune your USB device policy settings and
exceptions over time to meet your organization’s specific needs.
Creating USB Device Policies

When you create a USB device policy, you're setting broad rules that allow or block USB devices based on their USB device class. For example, you might create a policy to block USB storage drives, but permit
access for other classes of USB devices.

Later, you can create more specific exceptions to the broad rules defined by a policy.

1. Create a Policy

. Go to Configuration > USB Device Policies

. Click Add New Policy

. Enter a name and optional description for your policy

. Choose a policy mode (can be changed later):

Monitor and enforce: apply the settings of this policy, such as blocking specified USB devices

Monitor only: track violations of this policy, but don't enforce restrictions, in order to test this policy's settings

. Optionally, select Start with a copy of the default policy to "inherit" the current settings of the default USB device policy

. Click Create

2. Set Your Policy's Permissions

. Click any USB device class to configure policy settings for that class:
 Audio / Video (headsets, microphones, speakers, and webcams)

Imaging (Digital cameras)

Mass Storage (Flash drives, hard drives, SD card readers)

Mobile (MTP/PTP) (Mobile phones and tablets)

Printer (Printers)

Wireless (Bluetooth devices; not Wi-Fi adapters)

Use Any Class to configure exceptions that apply regardless of a device's USB class.

. Select the level of access for devices of that class:

Full access (or Read, write and execute, for the Mass Storage class)

Full block

Read and write only (applies only to the Mass Storage class)

Read only (applies only to the Mass Storage class)

. (Optional) Click End User Notifications to enable or disable OS-level notifications to end users when a USB device is blocked by this policy

. Click Save to save your changes to this USB device policy

3. Set Exceptions to Your Policy

Create exceptions to override the standard behavior of a policy. Exceptions are based on a USB device's vendor ID (VID), product ID (PID), and serial number. For example, you might create a policy that blocks
all USB mass storage devices, then create exceptions for the specific USB devices that are issued and approved by your organization.

It's possible to set a class's exception permissions to the same behavior as the class's permissions. If the class's permissions are changed in the future, the exception's permissions remain the same.

Tip: If you have many exceptions to add, we recommend using Manual Entry. When Let me add multiple exceptions without leaving this page is selected, the Manual Entry option clears the Serial
Number field but keeps all other information. This streamlines the process of adding many individual exceptions.

. Select a USB device class, or select Any class, to view the exceptions in that class

. Click Add Exception to add a new exception to that class

. Choose whether to create the exception using a USB device's Combined ID or Manual Entry

Combined ID

. Click the USB Device Dashboard link to open it in a new tab

. Copy the combined ID value of the USB device you want to make an exception for

. Return to the Add USB Device Exception tab and paste the value in the Combined IDfield

. Select the Device Class for this exception

. Select the permissions for this exception:

Full access (or Read, write and execute, for the Mass Storage class)

Full block

Read and write only (applies only to the Mass Storage class)

 Read only (applies only to the Mass Storage class)

. (Optional) Select Let me add multiple exceptions without leaving this page

. Click Add Exception

Manual Entry

Tip: The default format for Vendor ID or Product ID is decimal ( 0  to  65535 ). If you enter a hexadecimal value beginning with  0x  ( 0x0  to  0xFFFF ), the Falcon console automatically converts it to
decimal format.

. Enter the Vendor ID and Vendor Name

. (Optional) Enter a Product ID and Product Name

. (Optional) Enter a Serial Number

. Select the Device Class for this exception

. Select the permissions for this exception:

Full access (or Read, write and execute, for the Mass Storage class)

Full block

Read and write only (applies only to the Mass Storage class)

Read only (applies only to the Mass Storage class)

. (Optional) Select Let me add multiple exceptions without leaving this page

. Click Add Exception

. Click Save to save your changes to this USB device policy

When you use Manual Entry, exceptions that contain more information override exceptions that contain less information. From highest to lowest priority, this is the order of specificity:

. All 3 of Vendor ID, Product ID, and Serial Number

. Vendor ID and Product ID

. Vendor ID and a specific device class

. Vendor ID

. Device class

4. Assign Your Policy to Groups

After you've created a policy and exceptions, you're ready to assign your USB device policy to a group. Assigning a USB device policy works the same as assigning other types of policies.

. Go to Configuration > USB Device Policies.

. Find the policy you want to assign to a group and click the Edit Policy button on the far right.

. Near the top of the page, click Assignment.

. Click Add Groups in the upper-right.

. Select one or more groups.

. Click Apply.

USB device policies take effect when a USB device is connected to a host. If a host has USB devices connected when you assign a policy, those devices aren't affected until the next time they're reconnected or
the next time the host reboots.
Getting Info About USB Devices

After you set up your USB device policies, use the Falcon console’s Device Control dashboards to review USB connection events in your environment. Depending on which Device Control subscription you have,
you'll find your Device Control dashboards in a different part of the Falcon console:

If you have Device Control with Falcon Prevent or Falcon Pro, go to Activity > USB Device Control

If you have Device Control with Falcon Insight, go to Investigate > USB Device Control

Using Activity > USB Device Control

If you have Device Control with Falcon Prevent or Falcon Pro, go to Activity > USB Device Control

This view of Device Control only tracks instances of USB devices connecting to hosts. It doesn’t track other user or system actions, such as file transfers.

Here you can see all instances of USB devices connecting to your hosts, including details about:

The USB device, such as its device name, vendor name, and IDs

The specific host it attempted to connect to, including whether the connection was allowed or blocked

The USB device policy that defined whether the connection was allowed or blocked - and you can create policy exceptions here without returning to Configuration > USB Device Policies

VIEWING AND FILTERING USB DEVICE EVENTS

By default, Activity > USB Device Control shows all instances of USB devices connecting to your hosts. You can filter these events with the filter bar at the top.

Filter option Goal/description

Enforce: view events associated with policies set to Monitor and Enforce mode
Policy mode Monitor only: view events associated with policies set to Monitor only mode
A value of N/A indicates that the USB device was allowed to connect (the Full access permission).

View events that resulted in a selected action, based on the Permission setting in your USB device policy. Read only and Read and write only appear only for devices with the mass
Permissions
storage USB device class.
 View events associated with a specific USB device policy.
Policy name
A value of N/A indicates that the USB device was allowed to connect (the Full access permission).

Device class The USB device class of the device. This is set by the device manufacturer.

Vendor name The manufacturer of the USB device. This is set by the device manufacturer.

Product name The product name for the device. This is set by the device manufacturer.

Event time The time the USB device attempted to connect. This time is recorded in UTC but displayed according to your user profile’s time setting.

CREATING EXCEPTIONS

In addition to creating exceptions from Configuration > USB Device Policies, you can create exceptions from an individual event on the Activity > USB Device Control dashboard.

. From Activity > USB Device Control, select an event

. Click the Add Exception button

. (Optional) Change any items for this exception

. Click Add to policy to add your exception to the policy for future USB devices

Using Investigate > USB Device Control

Discover information on USB devices in your environment at Investigate > USB Device Control.

You'll also use this information when you create exceptions in USB device policies. When creating exceptions, you identify USB devices by their vendor IDs (VIDs), product IDs (PIDs), and serial numbers. We
recommend using the USB device dashboards to get accurate information, but you can also use another source of USB devices' VIDs, PIDs, and serial numbers.

Tip: Download the contents of any of these dashboards by mousing over them, then clicking Export in the bottom-right corner.

USB DEVICE USAGE

The USB Device Usage dashboard shows all USB device activity in your environment.

You can also enter a serial number, vendor name, device class, or product name to narrow your search. Depending on the size of your environment, changing the Time Range can result in a search that takes
some time to complete.
DEVICE USAGE BY HOST

The Device Usage by Host dashboard shows device usage for a single host. Enter a hostname in the Host Name field to view its history.

DEVICE BLOCKS

The Device Blocks dashboard shows instances of USB devices that were blocked by a USB device policy set to Full Block on any host in your environment. Instances of mass storage devices using policies set to
Read only or Read and write only aren't included. This dashboard helps you determine whether your USB device policies are blocking devices as intended.

You can also enter a serial number, vendor name, or product name to narrow your search. Depending on the size of your environment, changing the Time Range can result in a search that takes some time to
complete.
POLICY VIOLATIONS

The Policy Violations dashboard shows instances of USB devices that match a USB device policy set to Monitor only. These USB devices were allowed to connect to a host, but if your policy were set to Monitor
and enforce, they would have been blocked. This dashboard helps you test a USB device policy without affecting users and hosts.

You can also enter a serial number, vendor name, or product name to narrow your search. Depending on the size of your environment, changing the Time Range can result in a search that takes some time to
complete.
Troubleshooting

A USB Device Isn't Handled Correctly

If a USB device isn't being affected by your USB device policy, check these items in this order:

. Has the host been updated to Windows sensor version 4.7.7002 or later and been rebooted after the sensor update?

. Does the host belong to a group with the USB device policy assigned?

. Does the host's group have another, higher-precedence USB device policy assigned (where 1 is the highest level of precedence)?

. Is the USB device policy enabled?

. Is the USB device policy set to Monitor and enforce?

. Is the USB device policy configured to allow or deny access correctly for that device's USB device class?

. Is there an exception that specifies different behavior for that USB device class?

. Is there a more specific exception that's pre-empting the exception you expected?

. Did you enter a combined ID or manual entry in the wrong USB device class?

. If you entered an exception with a combined ID, is the combined ID correct?

Blocking USB Devices with Multiple Classes

Some USB devices, such as multi-function printers, have multiple classes. Depending on the specific classes, you can disable some or all of the device's functionality.

If a multiple-class device has Mass Storage: you can set Mass Storage to Full Block to block only the storage component of the device. Other functions of the device continue to work normally. For example, if
your policy blocks mass storage for a multi-function printer, the printer can't use its SD card storage, but it can continue to print normally.

If a multiple-class device doesn't have Mass Storage: blocking any of the device's classes completely prevents connections for that device. For example, if your policy blocks Audio/Video for a USB camera
that also has the Imaging class, the camera can't connect via USB in any way.

Vendor Name or Product Name are Incorrect

When entering a Vendor Name or Product Name, you may find an entry that corresponds to an incorrect Vendor ID or Product ID. When Falcon looks up vendor and product names, it checks several third-party
lists, as well as any vendor and product names you've previously entered for other exceptions.