Professional Documents
Culture Documents
Contents:
Overview
Before You Begin
Requirements
Role requirements
System Requirements
Limitations
USB device policies
Creating USB Device Policies
1. Create a Policy
2. Set Your Policy's Permissions
3. Set Exceptions to Your Policy
4. Assign Your Policy to Groups
Getting Info About USB Devices
Using Activity > USB Device Control
Using Investigate > USB Device Control
Troubleshooting
A USB Device Isn't Handled Correctly
Blocking USB Devices with Multiple Classes
Vendor Name or Product Name are Incorrect
Overview
With Device Control, you can create USB device policies to gain visibility and control over USB devices in your environment.
Configure USB device policies to control which USB devices can connect to your Windows hosts
Review Device Control dashboards to see USB device connections, USB device policy violations, and actions taken automatically by your policies
Device Control is an add-on module for Falcon Insight, Falcon Prevent, or Falcon Pro subscriptions.
Falcon’s USB device events: instances of a USB device attempting to connect to a host, either by being connected to the host or by already being connected when the host boots
Role requirements
Falcon Investigator
Falcon Analyst
Users with these roles can edit USB device policies and exceptions:
Falcon Administrator
System Requirements
Each host must be rebooted once after installation in order for Device Control to collect USB events.
You must have a Falcon Device Control module, available as an add-on for these Falcon subscriptions:
Falcon Insight
Falcon Prevent
Falcon Pro
Limitations
We're aware of these scenarios in which Device Control may not function as expected.
Virtualized environments such as Hyper-V, Citrix, VMWare, or others: Hypervisor hosts may experience these issues (virtualized guest OSes are unaffected):
Using sensors earlier than version 4.16 on the hypervisor host sometimes results in an OS stop error ("BSOD").
Device Control may work in virtualized stacks, but it is not guaranteed nor recommended.
Device Control may fail to work on these hosts, or could cause BSODs for client/host.
USB forwarding technologies such as RemoteFx, RDP: To block devices, you must apply USB device policies on the server, not the client.
Custom/third party USB device stacks or UAS storage drivers such as ASUS USB 3.0 Boost:
USB devices initialized on third party USB stacks will not be blocked by Device Control.
USB Device Control helps you stay aware of the USB devices being connected to hosts in your environment. Each time a USB device attempts to connect to a host, the Falcon sensor on that host logs an event
that contains information about the connection attempt:
USB device info: its serial number, device class, vendor description, and more
Policy info: action taken in response to the connection attempt (allowed or blocked), the criteria used to match the USB device to a policy setting
Configure USB device policies, then assign these policies to host groups to control whether USB devices can connect. USB device policies are like prevention policies: they’re collections of settings for your
hosts, and you assign them to host groups. If you have multiple overlapping USB device policies for a given host, it applies the policy with the highest precedence.
Policies in Monitor and Enforce mode take action on USB devices, based on your policy settings: blocking or allowing the USB device connection.
Policies in Monitor only mode record the USB device connection and the action defined by your policy setting, but they don’t enforce the setting on assigned hosts. This mode is intended to help you test
your policy behavior without disrupting users in your environment.
The settings in a USB device policy determine whether a USB device of a given device class - or any class - is allowed to connect to a host. Within each class, you can set exceptions: more specific
configurations that override the general policy setting.
After you’ve configured your USB device policies and assigned them to hosts, review USB device events in the Falcon console. Then, use that information to fine-tune your USB device policy settings and
exceptions over time to meet your organization’s specific needs.
Creating USB Device Policies
When you create a USB device policy, you're setting broad rules that allow or block USB devices based on their USB device class. For example, you might create a policy to block USB storage drives, but permit
access for other classes of USB devices.
Later, you can create more specific exceptions to the broad rules defined by a policy.
1. Create a Policy
Monitor and enforce: apply the settings of this policy, such as blocking specified USB devices
Monitor only: track violations of this policy, but don't enforce restrictions, in order to test this policy's settings
. Optionally, select Start with a copy of the default policy to "inherit" the current settings of the default USB device policy
. Click Create
. Click any USB device class to configure policy settings for that class:
Audio / Video (headsets, microphones, speakers, and webcams)
Imaging (Digital cameras)
Printer (Printers)
Full block
. (Optional) Click End User Notifications to enable or disable OS-level notifications to end users when a USB device is blocked by this policy
Create exceptions to override the standard behavior of a policy. Exceptions are based on a USB device's vendor ID (VID), product ID (PID), and serial number. For example, you might create a policy that blocks
all USB mass storage devices, then create exceptions for the specific USB devices that are issued and approved by your organization.
It's possible to set a class's exception permissions to the same behavior as the class's permissions. If the class's permissions are changed in the future, the exception's permissions remain the same.
Tip: If you have many exceptions to add, we recommend using Manual Entry. When Let me add multiple exceptions without leaving this page is selected, the Manual Entry option clears the Serial
Number field but keeps all other information. This streamlines the process of adding many individual exceptions.
. Select a USB device class, or select Any class, to view the exceptions in that class
. Choose whether to create the exception using a USB device's Combined ID or Manual Entry
Combined ID
. Copy the combined ID value of the USB device you want to make an exception for
. Return to the Add USB Device Exception tab and paste the value in the Combined IDfield
Full block
. Click Add Exception
Manual Entry
Tip: The default format for Vendor ID or Product ID is decimal ( 0 to 65535 ). If you enter a hexadecimal value beginning with 0x ( 0x0 to 0xFFFF ), the Falcon console automatically converts it to
decimal format.
Full block
. Click Add Exception
When you use Manual Entry, exceptions that contain more information override exceptions that contain less information. From highest to lowest priority, this is the order of specificity:
. Vendor ID
. Device class
After you've created a policy and exceptions, you're ready to assign your USB device policy to a group. Assigning a USB device policy works the same as assigning other types of policies.
. Find the policy you want to assign to a group and click the Edit Policy button on the far right.
. Click Apply.
USB device policies take effect when a USB device is connected to a host. If a host has USB devices connected when you assign a policy, those devices aren't affected until the next time they're reconnected or
the next time the host reboots.
Getting Info About USB Devices
After you set up your USB device policies, use the Falcon console’s Device Control dashboards to review USB connection events in your environment. Depending on which Device Control subscription you have,
you'll find your Device Control dashboards in a different part of the Falcon console:
If you have Device Control with Falcon Prevent or Falcon Pro, go to Activity > USB Device Control
If you have Device Control with Falcon Insight, go to Investigate > USB Device Control
If you have Device Control with Falcon Prevent or Falcon Pro, go to Activity > USB Device Control
This view of Device Control only tracks instances of USB devices connecting to hosts. It doesn’t track other user or system actions, such as file transfers.
Here you can see all instances of USB devices connecting to your hosts, including details about:
The USB device, such as its device name, vendor name, and IDs
The specific host it attempted to connect to, including whether the connection was allowed or blocked
The USB device policy that defined whether the connection was allowed or blocked - and you can create policy exceptions here without returning to Configuration > USB Device Policies
By default, Activity > USB Device Control shows all instances of USB devices connecting to your hosts. You can filter these events with the filter bar at the top.
Enforce: view events associated with policies set to Monitor and Enforce mode
Policy mode Monitor only: view events associated with policies set to Monitor only mode
A value of N/A indicates that the USB device was allowed to connect (the Full access permission).
View events that resulted in a selected action, based on the Permission setting in your USB device policy. Read only and Read and write only appear only for devices with the mass
Permissions
storage USB device class.
View events associated with a specific USB device policy.
Policy name
A value of N/A indicates that the USB device was allowed to connect (the Full access permission).
Device class The USB device class of the device. This is set by the device manufacturer.
Vendor name The manufacturer of the USB device. This is set by the device manufacturer.
Product name The product name for the device. This is set by the device manufacturer.
Event time The time the USB device attempted to connect. This time is recorded in UTC but displayed according to your user profile’s time setting.
CREATING EXCEPTIONS
In addition to creating exceptions from Configuration > USB Device Policies, you can create exceptions from an individual event on the Activity > USB Device Control dashboard.
. Click Add to policy to add your exception to the policy for future USB devices
Discover information on USB devices in your environment at Investigate > USB Device Control.
You'll also use this information when you create exceptions in USB device policies. When creating exceptions, you identify USB devices by their vendor IDs (VIDs), product IDs (PIDs), and serial numbers. We
recommend using the USB device dashboards to get accurate information, but you can also use another source of USB devices' VIDs, PIDs, and serial numbers.
Tip: Download the contents of any of these dashboards by mousing over them, then clicking Export in the bottom-right corner.
The USB Device Usage dashboard shows all USB device activity in your environment.
You can also enter a serial number, vendor name, device class, or product name to narrow your search. Depending on the size of your environment, changing the Time Range can result in a search that takes
some time to complete.
DEVICE USAGE BY HOST
The Device Usage by Host dashboard shows device usage for a single host. Enter a hostname in the Host Name field to view its history.
DEVICE BLOCKS
The Device Blocks dashboard shows instances of USB devices that were blocked by a USB device policy set to Full Block on any host in your environment. Instances of mass storage devices using policies set to
Read only or Read and write only aren't included. This dashboard helps you determine whether your USB device policies are blocking devices as intended.
You can also enter a serial number, vendor name, or product name to narrow your search. Depending on the size of your environment, changing the Time Range can result in a search that takes some time to
complete.
POLICY VIOLATIONS
The Policy Violations dashboard shows instances of USB devices that match a USB device policy set to Monitor only. These USB devices were allowed to connect to a host, but if your policy were set to Monitor
and enforce, they would have been blocked. This dashboard helps you test a USB device policy without affecting users and hosts.
You can also enter a serial number, vendor name, or product name to narrow your search. Depending on the size of your environment, changing the Time Range can result in a search that takes some time to
complete.
Troubleshooting
If a USB device isn't being affected by your USB device policy, check these items in this order:
. Has the host been updated to Windows sensor version 4.7.7002 or later and been rebooted after the sensor update?
. Does the host belong to a group with the USB device policy assigned?
. Does the host's group have another, higher-precedence USB device policy assigned (where 1 is the highest level of precedence)?
. Is the USB device policy configured to allow or deny access correctly for that device's USB device class?
. Is there an exception that specifies different behavior for that USB device class?
. Is there a more specific exception that's pre-empting the exception you expected?
. Did you enter a combined ID or manual entry in the wrong USB device class?
Some USB devices, such as multi-function printers, have multiple classes. Depending on the specific classes, you can disable some or all of the device's functionality.
If a multiple-class device has Mass Storage: you can set Mass Storage to Full Block to block only the storage component of the device. Other functions of the device continue to work normally. For example, if
your policy blocks mass storage for a multi-function printer, the printer can't use its SD card storage, but it can continue to print normally.
If a multiple-class device doesn't have Mass Storage: blocking any of the device's classes completely prevents connections for that device. For example, if your policy blocks Audio/Video for a USB camera
that also has the Imaging class, the camera can't connect via USB in any way.
When entering a Vendor Name or Product Name, you may find an entry that corresponds to an incorrect Vendor ID or Product ID. When Falcon looks up vendor and product names, it checks several third-party
lists, as well as any vendor and product names you've previously entered for other exceptions.