|
An external hard drive or pen drive is classified as class=WPD. It is possible to try to create a rule to block class WPD and allow the Default Removable Media Access or to use one of the following ways to further confirm the desired values details for the media storage device such as Class, PID, and VID.
- Microsoft Windows Device Manager: select the device and view its properties.
- USBDeview.
Configure the policy for removable access by creating a new profile for testing if possible:
class type=WPD manufacture=any vid=0781 pid=5567 Action=Block <----- Removed 0x in-front PID&VID.
Default Removable Media Access Action=Allow
If the policy does not work as expected, enable debug log on endpoints and provide for TAC further checking or, check on fortiusbmon log from endpoint:
C:\Program Files\Fortinet\FortiClient\logs\trace--> fortiusbmon log
Sample logging:
[2022-08-06 08:33:57.3257975] [5476:5616] [fortiusbmon 279] id: 16
[2022-08-06 08:33:57.3257980] [5476:5616] [fortiusbmon 280] device_description: Storage
[2022-08-06 08:33:57.3257984] [5476:5616] [fortiusbmon 281] device_property_classguid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
[2022-08-06 08:33:57.3257989] [5476:5616] [fortiusbmon 282] classname: WPD <----- Class type.
[2022-08-06 08:33:57.3257993] [5476:5616] [fortiusbmon 283] driverkeyname: {eec5ad98-8080-425f-922a-dabf3de3f69a}\0003
[2022-08-06 08:33:57.3257997] [5476:5616] [fortiusbmon 284] friendlyname: G:\
[2022-08-06 08:33:57.3258002] [5476:5616] [fortiusbmon 285] hardware_id:
[2022-08-06 08:33:57.3258006] [5476:5616] [fortiusbmon 286] manufacturer: EPSON
[2022-08-06 08:33:57.3258010] [5476:5616] [fortiusbmon 287] physical_device_object_name: \Device\00000057
[2022-08-06 08:33:57.3258022] [5476:5616] [fortiusbmon 520 debug] \Device\00000057 attached
[2022-08-06 08:33:57.3261423] [5476:5616] [fortiusbmon 84] PDOName retrieved: \Device\00000057
[2022-08-06 08:33:57.3261514] [5476:5616] [fortiusbmon 91] ContainerId retrieved: {82246340-1A82-5DEE-B1AB-861796B5F8B3}
[2022-08-06 08:33:57.3269900] [5476:5616] [fortiusbmon 178] GetInstanceProperty() found the matched device
[2022-08-06 08:33:57.3270275] [5476:5616] [fortiusbmon 178] GetInstanceProperty() found the matched device
[2022-08-06 08:33:57.3270514] [5476:5616] [fortiusbmon 178] GetInstanceProperty() found the matched device
[2022-08-06 08:33:57.3270697] [5476:5616] [fortiusbmon 162] Enumerate Device ends at 7
[2022-08-06 08:33:57.3271193] [5476:5616] [fortiusbmon 398] extracted hardwareId: vid=04B8 pid=08D3 rev=0100 <----- PID,VID&REV.
[2022-08-06 08:33:57.3271210] [5476:5616] [fortiusbmon 297] haystack: WPD needle: WPD
Reconfigure the policy based on the Windows extracted from the USB details.
Sometimes, the removable access policy does not work as expected due to it detecting multiple class types (e.g. WPD and USB).
It is necessary to reconfigure the rule based on the details and to try again.
Note:
Starting from EMS v7.0.13 and v7.2.5 onwards, the 'Class' field can be input manually, instead of being selected from the fixed dropdown list.
This would make it possible to configure rules such as classname: Mouse or Ports that were previously not available before EMS v7.0.13 and EMS v7.2.5.
[2025-08-27 16:48:46.1420379] [8276:8484] [fortiusbmon 323] device_description: HID-compliant mouse
[2025-08-27 16:48:46.1420385] [8276:8484] [fortiusbmon 324] device_property_classguid: {4d36e96f-e325-11ce-bfc1-08002be10318}
[2025-08-27 16:48:46.1420391] [8276:8484] [fortiusbmon 325] classname: Mouse <-----
[2025-07-02 09:08:30.4458815 UTC+08:00] [476:10892] [fortiusbmon 339 info] device_description: Communications Port
[2025-07-02 09:08:30.4458912 UTC+08:00] [476:10892] [fortiusbmon 340 info] device_property_classguid: {4d36e978-e325-11ce-bfc1-08002be10318}
[2025-07-02 09:08:30.4459798 UTC+08:00] [476:10892] [fortiusbmon 341 info] classname: Ports <-------
If the policy still does not work as expected, provide the debug log on endpoints to TAC for further checking.
Related documents:
Malware Protection
|
