FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
mithing
Staff
Staff
Article Id 295284
Description This article describes blocking removable media storage such as external hard drives or pen drives and allowing a mouse/keyboard in EMS.
Scope EMS v7.2.x and FortiClient v7.2.x.
Solution

An external hard drive or pen drive is classified as class=WPD. It is possible to try to create a rule to block class WPD and allow the Default Removable Media Access or to use one of the following ways to further confirm the desired values details for the media storage device such as Class, PID, and VID.

 

  • Microsoft Windows Device Manager: select the device and view its properties.
  • USBDeview.


Configure the policy for removable access by creating a new profile for testing if possible:

 

class type=WPD manufacture=any vid=0781 pid=5567 Action=Block <----- Removed 0x in-front PID&VID.

Default Removable Media Access Action=Allow

 

If the policy does not work as expected,  enable debug log on endpoints and provide for TAC further checking or, check on fortiusbmon log from endpoint:

 

C:\Program Files\Fortinet\FortiClient\logs\trace--> fortiusbmon log

 

Sample logging:


[2022-08-06 08:33:57.3257975] [5476:5616] [fortiusbmon 279] id: 16
[2022-08-06 08:33:57.3257980] [5476:5616] [fortiusbmon 280] device_description: Storage
[2022-08-06 08:33:57.3257984] [5476:5616] [fortiusbmon 281] device_property_classguid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
[2022-08-06 08:33:57.3257989] [5476:5616] [fortiusbmon 282] classname: WPD <----- Class type.
[2022-08-06 08:33:57.3257993] [5476:5616] [fortiusbmon 283] driverkeyname: {eec5ad98-8080-425f-922a-dabf3de3f69a}\0003
[2022-08-06 08:33:57.3257997] [5476:5616] [fortiusbmon 284] friendlyname: G:\
[2022-08-06 08:33:57.3258002] [5476:5616] [fortiusbmon 285] hardware_id:
[2022-08-06 08:33:57.3258006] [5476:5616] [fortiusbmon 286] manufacturer: EPSON
[2022-08-06 08:33:57.3258010] [5476:5616] [fortiusbmon 287] physical_device_object_name: \Device\00000057
[2022-08-06 08:33:57.3258022] [5476:5616] [fortiusbmon 520 debug] \Device\00000057 attached
[2022-08-06 08:33:57.3261423] [5476:5616] [fortiusbmon 84] PDOName retrieved: \Device\00000057
[2022-08-06 08:33:57.3261514] [5476:5616] [fortiusbmon 91] ContainerId retrieved: {82246340-1A82-5DEE-B1AB-861796B5F8B3}
[2022-08-06 08:33:57.3269900] [5476:5616] [fortiusbmon 178] GetInstanceProperty() found the matched device
[2022-08-06 08:33:57.3270275] [5476:5616] [fortiusbmon 178] GetInstanceProperty() found the matched device
[2022-08-06 08:33:57.3270514] [5476:5616] [fortiusbmon 178] GetInstanceProperty() found the matched device
[2022-08-06 08:33:57.3270697] [5476:5616] [fortiusbmon 162] Enumerate Device ends at 7
[2022-08-06 08:33:57.3271193] [5476:5616] [fortiusbmon 398] extracted hardwareId: vid=04B8 pid=08D3 rev=0100-----------------> PID,VID&REV
[2022-08-06 08:33:57.3271210] [5476:5616] [fortiusbmon 297] haystack: WPD needle: WPD

 

Reconfigure the policy based on the Windows extracted on the USB details.

 

Sometimes, the removable access policy does not work as expected due to it detecting multiple class types (e.g. WPD and USB).

It is necessary to re-configured the rule based on the details and to try again.

 

If the policy still does not work as expected, provide the debug log on endpoints to TAC for further checking.

 

Related documents: 

Malware Protection

How to properly identify USB devices