11/6/2020 Device Control | Documentation | Support | Falcon

CROWDSTRIKE CONFIDENTIAL
Device Control Feature Guide

Last updated: Oct 22, 2020

Contents:

Overview
Before You Begin
Requirements
Role requirements
System Requirements
Limitations
USB device policies
Creating USB Device Policies
1. Create a Policy
2. Set Your Policy's Permissions
3. Set Exceptions to Your Policy
4. Assign Your Policy to Groups
Getting Info About USB Devices
Using Activity > USB Device Control
Using Investigate > USB Device Control
Troubleshooting
A USB Device Isn't Handled Correctly
Blocking USB Devices with Multiple Classes
Vendor Name or Product Name are Incorrect

https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 1/15
11/6/2020 Device Control | Documentation | Support | Falcon

CROWDSTRIKE CONFIDENTIAL
Overview

With Device Control, you can create USB device policies to gain visibility and control over USB devices in your environment.

Configure USB device policies to control which USB devices can connect to your Windows hosts

Review Device Control dashboards to see USB device connections, USB device policy violations, and actions taken
automatically by your policies

Fine-tune your policies with exceptions as needed

Device Control is an add-on module for Falcon Insight, Falcon Prevent, or Falcon Pro subscriptions.

Before You Begin

You should be familiar with these important concepts:

Falcon’s USB device events: instances of a USB device attempting to connect to a host, either by being connected to the host
or by already being connected when the host boots

Falcon's host groups, policies, and precedence

USB protocol standards for device classes

https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 2/15
11/6/2020 Device Control | Documentation | Support | Falcon

CROWDSTRIKE CONFIDENTIAL
Requirements

Role requirements

Users with these roles can view Device Control info: 

Falcon Security Lead

Falcon Investigator

Falcon Analyst

Users with these roles can edit USB device policies and exceptions:

Falcon Administrator

Device Control Manager

System Requirements

Only Windows hosts support Device Control.

Each host must be rebooted once after installation in order for Device Control to collect USB events.

You must have a Falcon Device Control module, available as an add-on for these Falcon subscriptions:

Falcon Insight

Falcon Prevent

Falcon Pro

Limitations

We're aware of these scenarios in which Device Control may not function as expected.

Virtualized environments such as Hyper-V, Citrix, VMWare, or others: Hypervisor hosts may experience these issues (virtualized
guest OSes are unaffected):

Using sensors earlier than version 4.16 on the hypervisor host sometimes results in an OS stop error ("BSOD").

Virtualized environments often use a custom USB stack.

Device Control may work in virtualized stacks, but it is not guaranteed nor recommended.

Device Control may fail to work on these hosts, or could cause BSODs for client/host.

Vodafone network dongles or Elecom numpad devices

Device Control does not work on these devices.

USB forwarding technologies such as RemoteFx, RDP: To block devices, you must apply USB device policies on the server, not
the client.

https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 3/15
11/6/2020 Device Control | Documentation | Support | Falcon

Custom/third party USB device stacks or UAS storage drivers such as ASUS USB 3.0 Boost:

USB devices initialized on third party USB stacks will not be blocked by Device Control.

On Windows 7 hosts, Device Control can't block USB 3.0 drives.

Windows to Go: Boot disks can't be blocked by Device Control.

CROWDSTRIKE CONFIDENTIAL
Understanding USB Device Control

USB Device Control helps you stay aware of the USB devices being connected to hosts in your environment. Each time a USB
device attempts to connect to a host, the Falcon sensor on that host logs an event that contains information about the
connection attempt:

USB device info: its serial number, device class, vendor description, and more

Host info: its agent ID and hostname

Policy info: action taken in response to the connection attempt (allowed or blocked), the criteria used to match the USB device
to a policy setting

Auditing info: the time of the connection attempt 

https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 4/15
11/6/2020 Device Control | Documentation | Support | Falcon

CROWDSTRIKE CONFIDENTIAL
USB device policies

Configure USB device policies, then assign these policies to host groups to control whether USB devices can connect. USB device
policies are like prevention policies: they’re collections of settings for your hosts, and you assign them to host groups. If you have
multiple overlapping USB device policies for a given host, it applies the policy with the highest precedence.

USB Device policies have two policy modes:

Policies in Monitor and Enforce mode take action on USB devices, based on your policy settings: blocking or allowing the USB
device connection.

Policies in Monitor only mode record the USB device connection and the action defined by your policy setting, but they don’t
enforce the setting on assigned hosts. This mode is intended to help you test your policy behavior without disrupting users in
your environment.

The settings in a USB device policy determine whether a USB device of a given device class - or any class - is allowed to connect
to a host. Within each class, you can set exceptions: more specific configurations that override the general policy setting.

After you’ve configured your USB device policies and assigned them to hosts, review USB device events in the Falcon console.
Then, use that information to fine-tune your USB device policy settings and exceptions over time to meet your organization’s
specific needs.

https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 5/15
11/6/2020 Device Control | Documentation | Support | Falcon

CROWDSTRIKE CONFIDENTIAL
Creating USB Device Policies

When you create a USB device policy, you're setting broad rules that allow or block USB devices based on their USB device class.
For example, you might create a policy to block USB storage drives, but permit access for other classes of USB devices.

Later, you can create more specific exceptions to the broad rules defined by a policy.

1. Create a Policy

. Go to Configuration > USB Device Policies

. Click Add New Policy

. Enter a name and optional description for your policy

. Choose a policy mode (can be changed later):

Monitor and enforce: apply the settings of this policy, such as blocking specified USB devices

Monitor only: track violations of this policy, but don't enforce restrictions, in order to test this policy's settings

. Optionally, select Start with a copy of the default policy to "inherit" the current settings of the default USB device policy

. Click Create

2. Set Your Policy's Permissions

https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 6/15
11/6/2020 Device Control | Documentation | Support | Falcon

. Click any USB device class to configure policy settings for that class:

Audio / Video (headsets, microphones, speakers, and webcams)

Imaging (Digital cameras)

Mass Storage (Flash drives, hard drives, SD card readers)

Mobile (MTP/PTP) (Mobile phones and tablets)

Printer (Printers)

Wireless (Bluetooth devices; not Wi-Fi adapters)

Use Any Class to configure exceptions that apply regardless of a device's USB class.

. Select the level of access for devices of that class:

Full access (or Read, write and execute, for the Mass Storage class)

Full block

Read and write only (applies only to the Mass Storage class)

Read only (applies only to the Mass Storage class)

. (Optional) Click End User Notifications to enable or disable OS-level notifications to end users when a USB device is
blocked by this policy

https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 7/15
11/6/2020 Device Control | Documentation | Support | Falcon

. Click Save to save your changes to this USB device policy

3. Set Exceptions to Your Policy

Create exceptions to override the standard behavior of a policy. Exceptions are based on a USB device's vendor ID (VID), product
ID (PID), and serial number. For example, you might create a policy that blocks all USB mass storage devices, then create
exceptions for the specific USB devices that are issued and approved by your organization.

It's possible to set a class's exception permissions to the same behavior as the class's permissions. If the class's permissions are
changed in the future, the exception's permissions remain the same.

Tip: If you have many exceptions to add, we recommend using Manual Entry. When Let me add multiple exceptions
without leaving this page is selected, the Manual Entry option clears the Serial Number field but keeps all other
information. This streamlines the process of adding many individual exceptions.

. Select a USB device class, or select Any class, to view the exceptions in that class

. Click Add Exception to add a new exception to that class

. Choose whether to create the exception using a USB device's Combined ID or Manual Entry

Combined ID

. Click the USB Device Dashboard link to open it in a new tab

https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 8/15
11/6/2020 Device Control | Documentation | Support | Falcon

. Copy the combined ID value of the USB device you want to make an exception for

. Return to the Add USB Device Exception tab and paste the value in the Combined IDfield

. Select the Device Class for this exception

. Select the permissions for this exception:

Full access (or Read, write and execute, for the Mass Storage class)

Full block

Read and write only (applies only to the Mass Storage class)

Read only (applies only to the Mass Storage class)

. (Optional) Select Let me add multiple exceptions without leaving this page

. Click Add Exception

Manual Entry

Tip: The default format for Vendor ID or Product ID is decimal ( 0  to  65535 ). If you enter a hexadecimal value
beginning with  0x  ( 0x0  to  0xFFFF ), the Falcon console automatically converts it to decimal format.

. Enter the Vendor ID and Vendor Name

. (Optional) Enter a Product ID and Product Name

. (Optional) Enter a Serial Number

. Select the Device Class for this exception

. Select the permissions for this exception:

Full access (or Read, write and execute, for the Mass Storage class)

Full block

Read and write only (applies only to the Mass Storage class)

Read only (applies only to the Mass Storage class)

. (Optional) Select Let me add multiple exceptions without leaving this page

. Click Add Exception

. Click Save to save your changes to this USB device policy

When you use Manual Entry, exceptions that contain more information override exceptions that contain less information. From
highest to lowest priority, this is the order of specificity:

. All 3 of Vendor ID, Product ID, and Serial Number

. Vendor ID and Product ID

. Vendor ID and a specific device class

. Vendor ID

. Device class

https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 9/15
11/6/2020 Device Control | Documentation | Support | Falcon

4. Assign Your Policy to Groups

After you've created a policy and exceptions, you're ready to assign your USB device policy to a group. Assigning a USB device
policy works the same as assigning other types of policies.

. Go to Configuration > USB Device Policies.

. Find the policy you want to assign to a group and click the Edit Policy button on the far right.

. Near the top of the page, click Assignment.

. Click Add Groups in the upper-right.

. Select one or more groups.

. Click Apply.

USB device policies take effect when a USB device is connected to a host. If a host has USB devices connected when you assign a
policy, those devices aren't affected until the next time they're reconnected or the next time the host reboots.

https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 10/15
11/6/2020 Device Control | Documentation | Support | Falcon

CROWDSTRIKE CONFIDENTIAL
Getting Info About USB Devices

After you set up your USB device policies, use the Falcon console’s Device Control dashboards to review USB connection events
in your environment. Depending on which Device Control subscription you have, you'll find your Device Control dashboards in a
different part of the Falcon console:

If you have Device Control with Falcon Prevent or Falcon Pro, go to Activity > USB Device Control

If you have Device Control with Falcon Insight, go to Investigate > USB Device Control

Using Activity > USB Device Control

If you have Device Control with Falcon Prevent or Falcon Pro, go to Activity > USB Device Control

This view of Device Control only tracks instances of USB devices connecting to hosts. It doesn’t track other user or
system actions, such as file transfers.

Here you can see all instances of USB devices connecting to your hosts, including details about:

The USB device, such as its device name, vendor name, and IDs

The specific host it attempted to connect to, including whether the connection was allowed or blocked

The USB device policy that defined whether the connection was allowed or blocked - and you can create policy exceptions here
without returning to Configuration > USB Device Policies

https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 11/15
11/6/2020 Device Control | Documentation | Support | Falcon

VIEWING AND FILTERING USB DEVICE EVENTS

By default, Activity > USB Device Control shows all instances of USB devices connecting to your hosts. You can filter these events
with the filter bar at the top.

Filter option Goal/description

Enforce: view events associated with policies set to Monitor and Enforce mode
Policy mode Monitor only: view events associated with policies set to Monitor only mode
A value of N/A indicates that the USB device was allowed to connect (the Full access permission).

View events that resulted in a selected action, based on the Permission setting in your USB device
Permissions
policy. Read only and Read and write only appear only for devices with the mass storage USB device class.

View events associated with a specific USB device policy.

Policy name
A value of N/A indicates that the USB device was allowed to connect (the Full access permission).

Device class The USB device class of the device. This is set by the device manufacturer.

Vendor name The manufacturer of the USB device. This is set by the device manufacturer.

Product name The product name for the device. This is set by the device manufacturer.

The time the USB device attempted to connect. This time is recorded in UTC but displayed according to
Event time
your user profile’s time setting.

CREATING EXCEPTIONS

In addition to creating exceptions from Configuration > USB Device Policies, you can create exceptions from an individual event on
the Activity > USB Device Control dashboard.

. From Activity > USB Device Control, select an event

. Click the Add Exception button

. (Optional) Change any items for this exception

. Click Add to policy to add your exception to the policy for future USB devices

Using Investigate > USB Device Control

Discover information on USB devices in your environment at Investigate > USB Device Control.

You'll also use this information when you create exceptions in USB device policies. When creating exceptions, you identify USB
devices by their vendor IDs (VIDs), product IDs (PIDs), and serial numbers. We recommend using the USB device dashboards to
get accurate information, but you can also use another source of USB devices' VIDs, PIDs, and serial numbers.

https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 12/15
11/6/2020 Device Control | Documentation | Support | Falcon

Tip: Download the contents of any of these dashboards by mousing over them, then clicking Export in the bottom-
right corner.

USB DEVICE USAGE

The USB Device Usage dashboard shows all USB device activity in your environment.

You can also enter a serial number, vendor name, device class, or product name to narrow your search. Depending on the size of
your environment, changing the Time Range can result in a search that takes some time to complete.

https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 13/15
11/6/2020 Device Control | Documentation | Support | Falcon

DEVICE USAGE BY HOST

The Device Usage by Host dashboard shows device usage for a single host. Enter a hostname in the Host Name field to view its
history.

DEVICE BLOCKS

https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 14/15
11/6/2020 Device Control | Documentation | Support | Falcon

The Device Blocks dashboard shows instances of USB devices that were blocked by a USB device policy set to Full Block on any
host in your environment. Instances of mass storage devices using policies set to Read only or Read and write only aren't included.
This dashboard helps you determine whether your USB device policies are blocking devices as intended.

You can also enter a serial number, vendor name, or product name to narrow your search. Depending on the size of your
environment, changing the Time Range can result in a search that takes some time to complete.

POLICY VIOLATIONS

The Policy Violations dashboard shows instances of USB devices that match a USB device policy set to Monitor only. These USB
devices were allowed to connect to a host, but if your policy were set to Monitor and enforce, they would have been blocked. This
dashboard helps you test a USB device policy without affecting users and hosts.

https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 15/15