Blocking removable devices by class ID 6.4.2
You can define multiple rules to block, monitor, or allow removable devices, such as the following:
- Human interface devices
- Windows portable devices
- Bluetooth devices
- CD-ROM drive
- Smart card reader
- USB device
- Camera device
You can configure rules using device properties including the class, manufacturer, vendor ID, product ID, and revision. You can enter regular expressions in PERL or simple format (exact match). One profile supports multiple rules. FortiClient EMS ignores empty fields. If FortiClient detects an existing removable device's properties matches a rule, it applies the configured action (block, allow, or monitor).
You can find the hardware properties of a removable device using Hardware Manager or USBDeView.
To configure Removable Media Access:
- In EMS, go to Endpoint Profiles > Manage Profiles.
- On the Malware tab, enable Removable Media Access.
- Configure the following:
Options
Description
Show bubble notifications
Display a bubble notification when FortiClient takes action with a removable media device.
Action
Configure the action to take with removable media devices connected to the endpoint that match this rule. Available options are:
- Allow: Allow access to removable media devices connected to the endpoint that match this rule.
- Block: Block access to removable media devices connected to the endpoint that match this rule.
- Monitor: Log removable media device connections to the endpoint that match this rule.
Description
Enter the desired rule description.
Type
Select Simple or Regular Expression for the rule type.
When Simple is selected, FortiClient performs case-insensitive matching against classes, manufacturers, vendor IDs, product IDs, and revisions.
When Regular Expression is selected, FortiClient uses Perl Compatible Regular Expressions (PCRE) to perform matching against classes, manufacturers, vendor IDs, product IDs, and revisions.
Class
Enter the device class.
Manufacturer
Enter the device manufacturer.
Vendor ID
Enter the device vendor ID.
Product ID
Enter the device product ID.
Revision
Enter the device revision number.
Remove this rule
Remove this rule from the profile.
Add a new rule
Add a new removable media access rule.
Move this rule up/down
Move this rule up or down. If a connected device is eligible for multiple rules, FortiClient applies the highest rule to the device.
Default removable media access
Configure the action to take with removable media devices that do not match any configured rules. Available options are:
- Allow: Allow access to removable media devices connected to the endpoint that do not match any configured rules.
- Block: Block access to removable media devices connected to the endpoint that do not match any configured rules.
- Monitor: Log removable media device connections to the endpoint that do not match any configured rules.
- Click Save.
The FortiClient GUI currently does not display all defined removable media rules. It only displays the default action, which is applied if the removable device does not match all defined rules.
To view endpoint removable media events:
- In EMS, go to Endpoints and go to the desired endpoint.
- Click the endpoint, then select the USB Monitor Events tab.