Technical Tip: How to properly identify USB devices to configure in Removable Media Access Control in FortiClient EMS / FortiEDR

david_pereira · ‎09-09-2024

Description

This article describes a better way to identify USB devices and their attributes, allowing the system administrator to properly block or allow devices using the Removable Media Access Control feature, available in FortiClient EMS and FortiEDR.
Sometimes a company needs to block USB devices in general while allowing other ones, such as some keyboards and mice. Collecting the hardware details of the allowed devices makes it possible to block all devices while allowing some exceptions.

Scope

Microsoft Windows, FortiClient EMS, FortiEDR.

Solution

In this task, a freeware app named Usbdeview.exe will be used. It was created by Nirsoft and can be found on the Nirsoft website.

Access this link to directly go to the Freeware download page:
Download the 32 or 64-bit version as appropriate for the OS in use.
Run Usbdeview.exe. A list with all USB devices and their attributes will be shown:
Choose the desired device for which the attributes are necessary to collect and double-click on it:

As in the example above, a new window with all the device attributes will open. Some useful information can be gathered here, such as the Product ID, Vendor ID, and sometimes even the Firmware Revision.

For testing purposes, this information will be used to configure a Malware Protection Profile in FortiClient EMS. To allow this keyboard only and deny all the rest, the Vendor ID and the Product ID were used:

Note that it is possible to use this info for every USB device, as well as allow or block the device, making it possible a granular configuration.