Use case: Removable storage file access device rule with a whitelisted process

You can whitelist file names as an exception to a removable storage blocking rule.

Removable storage file access device rules are used to block applications from acting on the removable device. Whitelisted file names are defined as processes that are not blocked. In this example, we block Sandisk removable storage devices, but allow anti-virus software to scan the device to remove infected files.

Note: This feature is supported only for Windows-based computers.

Task

  1. In McAfee ePO, select MenuData ProtectionDLP Policy Manager.
  2. On the Definitions tab, locate the built-in device template All Sandisk removable storage devices (Windows), and click Duplicate.
    The template uses the Sandisk vendor ID 0781.
    Tip: Duplicate the built-in templates to customize a template. For example, you can add other vendor IDs to the duplicated Sandisk template to add other brands of removable devices.
  3. On the Rule Sets tab, select or create a rule set.
  4. On the rule set Device Control tab, select ActionsNew RuleRemovable Storage File Access Device Rule.
  5. Enter a name for the rule and select StateEnabled.
  6. On the Conditions tab, select an End-User or leave the default (is any user). In the Removable Storage field, select the device template item you created in step 2. Leave the default settings for True File Type and File Extension.
  7. On the Exceptions tab, select Excluded File Names.
  8. In the File Name field, add the built-in McAfee AV definition.
    As with the removable storage device template item, you can duplicate this template and customize it.
  9. On the Reaction tab, select ActionBlock. You can optionally add a user notification, select the Report Incident option, or select a different action when disconnected from the corporate network.
  10. Click Save, then click Close.