USB Device Support

Encrypted USB Mount

When a USB with hardware-based encryption (including Kingston IronKey, Kingston DataTraveler Vault Privacy 3.0, Integral Courier, OS BitLocker Enctyption) is mounted, the activity is captured by the Agent and categorized as Volume Mount. Volume Mount is triggered when an encrypted USB device is plugged in to allow copying/moving files to the writable volume. (Volume mounting usually follows password authentication.) Other file activity, such as copying/moving files to this volume will also be detected.

In Exploration and Detection Rules, use the USB Product Name field (Devices > USB Product Name) to identify a USB by a unique value. (Usually, each encrypted USB device has a unique value that is extracted by the Agent.)

USB Attached SCSI (UAS)  is supported. UAS is detected a USB device when plugging in the device (Volume Mount) and when exfiltrating files (Copy/Move to USB and Copy/Move from USB).

Software Detection

File exfiltration activity on the following encrypted software devices is detected by the Agent:

  • PrivateAccess by SanDisk

  • MfeEERM by McAfee

  • SecureLock by Integral (used in Integral Secure 360)

  • BitLocker

To set up rules, explorations use:

File/Resources > Protection Type

Devices > Storage Protection Type

Prevent Exfiltration to USB Encrypt by BitLocker or Trelix

Prevention of exfiltration to USB can also be enforced by using a USB device that is encrypted by the following vendors:

  • BitLocker: Microsoft encryption technology built into Windows OS.

  • Trellix File and Removable Media Protection: A proprietary GUI-based software by Trellix that can be used to copy files to and from USB devices while keeping them encrypted on the device.

To prevent exfiltration to BitLocker/Trelix devices the field Files Resources > Protection Type can be used as following:

  • To prevent exfiltration to a device protected by BitLocker: Files Resources > Protection Type is set to OS BitLocker Encryption

  • To prevent exfiltration to device protected by Trellix File and Removable Media Protection:

    • Files Resources > Protection Type is set to Custom Software Encryption

    • Process/Application > Executable Name is set to MfeEERM.exe (the executable name of Trellix software)

Trellix and BitLocker encryption with USB Allow action is now supported. This feature is useful when allowing exfiltration of encrypted data to USB for specific users. Use the filter File ResourcesProtection Type.

For example, you can create a rule that allows specific users to copy sensitive information to USB if they encrypted with BitLocker.

SD Card Connections

Like USB devices, SD cards can also be used for data exfiltration.

The Agent can detect and prevent both SD card connections and file copy/move actions to SD cards.

Since most SD cards are recognized as USB Storage Devices rather than as SD cards, both Detection and Prevention Rules configured for USB devices are automatically applied to SD cards.

In many cases, SD cards are recognized as standard USB devices, and activities involving SD cards can be categorized accordingly:

  • SD Card Connection: The primary category is set to USB Connect. If the device specifically identifies as an SD card, an additional category, SD Card Connect, is also assigned alongside the primary category.

  • File Copy/Move to SD Card: The primary category is set to Copy to USB. If the device clearly identifies itself as an SD card, an additional category, Copy to SD Card, is assigned. Additionally, the category Copy to External Storage Device is always applied.

To block file transfers to SD Cards, create a Prevention Rule for Copy to USB.

SD card detection and prevention is implemented for both of the following scenarios:

  • When the card is inserted directly into an SD card slot on the endpoint (connected to the motherboard).

  • When the card is used with an external adapter connected via USB.

 

Unlike USB devices, SD cards typically do not expose fields such as Product ID/Name or Vendor ID/Name in most cases.