Professional Documents
Culture Documents
CROWDSTRIKE CONFIDENTIAL
Device Control Feature Guide
Contents:
Overview
Before You Begin
Requirements
Role requirements
System Requirements
Limitations
USB device policies
Creating USB Device Policies
1. Create a Policy
2. Set Your Policy's Permissions
3. Set Exceptions to Your Policy
4. Assign Your Policy to Groups
Getting Info About USB Devices
Using Activity > USB Device Control
Using Investigate > USB Device Control
Troubleshooting
A USB Device Isn't Handled Correctly
Blocking USB Devices with Multiple Classes
Vendor Name or Product Name are Incorrect
https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 1/15
11/6/2020 Device Control | Documentation | Support | Falcon
CROWDSTRIKE CONFIDENTIAL
Overview
With Device Control, you can create USB device policies to gain visibility and control over USB devices in your environment.
Configure USB device policies to control which USB devices can connect to your Windows hosts
Review Device Control dashboards to see USB device connections, USB device policy violations, and actions taken
automatically by your policies
Device Control is an add-on module for Falcon Insight, Falcon Prevent, or Falcon Pro subscriptions.
Falcon’s USB device events: instances of a USB device attempting to connect to a host, either by being connected to the host
or by already being connected when the host boots
https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 2/15
11/6/2020 Device Control | Documentation | Support | Falcon
CROWDSTRIKE CONFIDENTIAL
Requirements
Role requirements
Falcon Investigator
Falcon Analyst
Users with these roles can edit USB device policies and exceptions:
Falcon Administrator
System Requirements
Each host must be rebooted once after installation in order for Device Control to collect USB events.
You must have a Falcon Device Control module, available as an add-on for these Falcon subscriptions:
Falcon Insight
Falcon Prevent
Falcon Pro
Limitations
We're aware of these scenarios in which Device Control may not function as expected.
Virtualized environments such as Hyper-V, Citrix, VMWare, or others: Hypervisor hosts may experience these issues (virtualized
guest OSes are unaffected):
Using sensors earlier than version 4.16 on the hypervisor host sometimes results in an OS stop error ("BSOD").
Device Control may work in virtualized stacks, but it is not guaranteed nor recommended.
Device Control may fail to work on these hosts, or could cause BSODs for client/host.
USB forwarding technologies such as RemoteFx, RDP: To block devices, you must apply USB device policies on the server, not
the client.
https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 3/15
11/6/2020 Device Control | Documentation | Support | Falcon
Custom/third party USB device stacks or UAS storage drivers such as ASUS USB 3.0 Boost:
USB devices initialized on third party USB stacks will not be blocked by Device Control.
CROWDSTRIKE CONFIDENTIAL
Understanding USB Device Control
USB Device Control helps you stay aware of the USB devices being connected to hosts in your environment. Each time a USB
device attempts to connect to a host, the Falcon sensor on that host logs an event that contains information about the
connection attempt:
USB device info: its serial number, device class, vendor description, and more
Policy info: action taken in response to the connection attempt (allowed or blocked), the criteria used to match the USB device
to a policy setting
https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 4/15
11/6/2020 Device Control | Documentation | Support | Falcon
CROWDSTRIKE CONFIDENTIAL
USB device policies
Configure USB device policies, then assign these policies to host groups to control whether USB devices can connect. USB device
policies are like prevention policies: they’re collections of settings for your hosts, and you assign them to host groups. If you have
multiple overlapping USB device policies for a given host, it applies the policy with the highest precedence.
Policies in Monitor and Enforce mode take action on USB devices, based on your policy settings: blocking or allowing the USB
device connection.
Policies in Monitor only mode record the USB device connection and the action defined by your policy setting, but they don’t
enforce the setting on assigned hosts. This mode is intended to help you test your policy behavior without disrupting users in
your environment.
The settings in a USB device policy determine whether a USB device of a given device class - or any class - is allowed to connect
to a host. Within each class, you can set exceptions: more specific configurations that override the general policy setting.
After you’ve configured your USB device policies and assigned them to hosts, review USB device events in the Falcon console.
Then, use that information to fine-tune your USB device policy settings and exceptions over time to meet your organization’s
specific needs.
https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 5/15
11/6/2020 Device Control | Documentation | Support | Falcon
CROWDSTRIKE CONFIDENTIAL
Creating USB Device Policies
When you create a USB device policy, you're setting broad rules that allow or block USB devices based on their USB device class.
For example, you might create a policy to block USB storage drives, but permit access for other classes of USB devices.
Later, you can create more specific exceptions to the broad rules defined by a policy.
1. Create a Policy
Monitor and enforce: apply the settings of this policy, such as blocking specified USB devices
Monitor only: track violations of this policy, but don't enforce restrictions, in order to test this policy's settings
. Optionally, select Start with a copy of the default policy to "inherit" the current settings of the default USB device policy
. Click Create
https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 6/15
11/6/2020 Device Control | Documentation | Support | Falcon
. Click any USB device class to configure policy settings for that class:
Imaging (Digital cameras)
Printer (Printers)
Full block
. (Optional) Click End User Notifications to enable or disable OS-level notifications to end users when a USB device is
blocked by this policy
https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 7/15
11/6/2020 Device Control | Documentation | Support | Falcon
Create exceptions to override the standard behavior of a policy. Exceptions are based on a USB device's vendor ID (VID), product
ID (PID), and serial number. For example, you might create a policy that blocks all USB mass storage devices, then create
exceptions for the specific USB devices that are issued and approved by your organization.
It's possible to set a class's exception permissions to the same behavior as the class's permissions. If the class's permissions are
changed in the future, the exception's permissions remain the same.
Tip: If you have many exceptions to add, we recommend using Manual Entry. When Let me add multiple exceptions
without leaving this page is selected, the Manual Entry option clears the Serial Number field but keeps all other
information. This streamlines the process of adding many individual exceptions.
. Select a USB device class, or select Any class, to view the exceptions in that class
. Choose whether to create the exception using a USB device's Combined ID or Manual Entry
Combined ID
https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 8/15
11/6/2020 Device Control | Documentation | Support | Falcon
. Copy the combined ID value of the USB device you want to make an exception for
. Return to the Add USB Device Exception tab and paste the value in the Combined IDfield
Full block
. Click Add Exception
Manual Entry
Tip: The default format for Vendor ID or Product ID is decimal ( 0 to 65535 ). If you enter a hexadecimal value
beginning with 0x ( 0x0 to 0xFFFF ), the Falcon console automatically converts it to decimal format.
Full block
. Click Add Exception
When you use Manual Entry, exceptions that contain more information override exceptions that contain less information. From
highest to lowest priority, this is the order of specificity:
. Vendor ID
. Device class
https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 9/15
11/6/2020 Device Control | Documentation | Support | Falcon
After you've created a policy and exceptions, you're ready to assign your USB device policy to a group. Assigning a USB device
policy works the same as assigning other types of policies.
. Find the policy you want to assign to a group and click the Edit Policy button on the far right.
. Click Apply.
USB device policies take effect when a USB device is connected to a host. If a host has USB devices connected when you assign a
policy, those devices aren't affected until the next time they're reconnected or the next time the host reboots.
https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 10/15
11/6/2020 Device Control | Documentation | Support | Falcon
CROWDSTRIKE CONFIDENTIAL
Getting Info About USB Devices
After you set up your USB device policies, use the Falcon console’s Device Control dashboards to review USB connection events
in your environment. Depending on which Device Control subscription you have, you'll find your Device Control dashboards in a
different part of the Falcon console:
If you have Device Control with Falcon Prevent or Falcon Pro, go to Activity > USB Device Control
If you have Device Control with Falcon Insight, go to Investigate > USB Device Control
If you have Device Control with Falcon Prevent or Falcon Pro, go to Activity > USB Device Control
This view of Device Control only tracks instances of USB devices connecting to hosts. It doesn’t track other user or
system actions, such as file transfers.
Here you can see all instances of USB devices connecting to your hosts, including details about:
The USB device, such as its device name, vendor name, and IDs
The specific host it attempted to connect to, including whether the connection was allowed or blocked
The USB device policy that defined whether the connection was allowed or blocked - and you can create policy exceptions here
without returning to Configuration > USB Device Policies
https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 11/15
11/6/2020 Device Control | Documentation | Support | Falcon
By default, Activity > USB Device Control shows all instances of USB devices connecting to your hosts. You can filter these events
with the filter bar at the top.
Enforce: view events associated with policies set to Monitor and Enforce mode
Policy mode Monitor only: view events associated with policies set to Monitor only mode
A value of N/A indicates that the USB device was allowed to connect (the Full access permission).
View events that resulted in a selected action, based on the Permission setting in your USB device
Permissions
policy. Read only and Read and write only appear only for devices with the mass storage USB device class.
Device class The USB device class of the device. This is set by the device manufacturer.
Vendor name The manufacturer of the USB device. This is set by the device manufacturer.
Product name The product name for the device. This is set by the device manufacturer.
The time the USB device attempted to connect. This time is recorded in UTC but displayed according to
Event time
your user profile’s time setting.
CREATING EXCEPTIONS
In addition to creating exceptions from Configuration > USB Device Policies, you can create exceptions from an individual event on
the Activity > USB Device Control dashboard.
. Click Add to policy to add your exception to the policy for future USB devices
Discover information on USB devices in your environment at Investigate > USB Device Control.
You'll also use this information when you create exceptions in USB device policies. When creating exceptions, you identify USB
devices by their vendor IDs (VIDs), product IDs (PIDs), and serial numbers. We recommend using the USB device dashboards to
get accurate information, but you can also use another source of USB devices' VIDs, PIDs, and serial numbers.
https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 12/15
11/6/2020 Device Control | Documentation | Support | Falcon
Tip: Download the contents of any of these dashboards by mousing over them, then clicking Export in the bottom-
right corner.
The USB Device Usage dashboard shows all USB device activity in your environment.
You can also enter a serial number, vendor name, device class, or product name to narrow your search. Depending on the size of
your environment, changing the Time Range can result in a search that takes some time to complete.
https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 13/15
11/6/2020 Device Control | Documentation | Support | Falcon
The Device Usage by Host dashboard shows device usage for a single host. Enter a hostname in the Host Name field to view its
history.
DEVICE BLOCKS
https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 14/15
11/6/2020 Device Control | Documentation | Support | Falcon
The Device Blocks dashboard shows instances of USB devices that were blocked by a USB device policy set to Full Block on any
host in your environment. Instances of mass storage devices using policies set to Read only or Read and write only aren't included.
This dashboard helps you determine whether your USB device policies are blocking devices as intended.
You can also enter a serial number, vendor name, or product name to narrow your search. Depending on the size of your
environment, changing the Time Range can result in a search that takes some time to complete.
POLICY VIOLATIONS
The Policy Violations dashboard shows instances of USB devices that match a USB device policy set to Monitor only. These USB
devices were allowed to connect to a host, but if your policy were set to Monitor and enforce, they would have been blocked. This
dashboard helps you test a USB device policy without affecting users and hosts.
https://falcon.eu-1.crowdstrike.com/support/documentation/37/device-control 15/15