EventTracker 8815 Centre Park Drive
Columbia MD 21045 www.eventtracker.com
Publication Date: Dec 21, 2011
EventTracker: Removable Media Device Monitoring
Version 7.x
EventTracker: Removable Media Device Monitoring
1
Abstract With the introduction of newer portable devices, the security needs of protecting integrity and confidential data has been changed. An increasing need of portable access to the data has also increased the risk of sensitive or confidential data exposure. Therefore, to keep a record of removable media device activities has become one of the most important compliance factor for the enterprise. EventTracker’s advanced removable media monitoring capacity protects and monitors system(s) from illegal access or data theft. EventTracker helps user(s) to disable the unauthorized access to the machine and allow the trusted devices connection.
Purpose This document will help you to enable the removable device monitoring and explains the procedure to find the Device ID and USB serial number. It also monitors insertion/removal and files written to and read from removable media such as CD/DVD and USB.
Intended Audience
Administrators who are assigned the task to monitor and manage events using EventTracker.
Scope The configurations detailed in this guide are consistent with EventTracker Enterprise version 7.x. The instructions can be used while working with later releases of EventTracker Enterprise.
The information contained in this document represents the current view of Prism Microsystems Inc. on the issues discussed as of the date of publication. Because Prism Microsystems must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism Microsystems, and Prism Microsystems cannot guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. Prism Microsystems MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided.
Prism Microsystems may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. © 2013 Prism Microsystems Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
EventTracker: Removable Media Device Monitoring
2
Table of Contents
Overview ....................................................................................................................................................... 3 EventTracker Monitoring Features ............................................................................................................ 3 Implement Monitoring Removable Media Feature in EventTracker v7.1 .............................................. 6
Monitor CDW/DVD Burning Activities ................................................................................................... 6
Monitor CD-ROM Activities ..................................................................................................................... 6
Configure EventTracker Agent to Monitor Removable Media ............................................................. 7
Disable USB Drives .............................................................................................................................. 7
Exempt Authorized USB Drives .......................................................................................................... 8
Configure Device Monitoring Alerts ....................................................................................................... 9
Import and Configure CD-DVD Monitoring Alert .............................................................................. 9
Configure USB Device Monitor Alerts .................................................................................................. 10
EventTracker Device Monitoring Categories ....................................................................................... 11
EventTracker Device Monitoring Reports ............................................................................................ 13
Category Reports ............................................................................................................................... 13
Custom Reports ................................................................................................................................. 15
EventTracker Generated Events ........................................................................................................... 17
Media Type: CD/DVD Recorder ......................................................................................................... 17
Media Type: CD-ROM ........................................................................................................................ 21
Media Type: Removable (USB) .......................................................................................................... 25
Limitations ............................................................................................................................................. 31
EventTracker Configurations for removable device monitoring in v7.2 ............................................... 32 EventTracker settings options for USB and other device changes ................................................... 32
Define USB exception list ...................................................................................................................... 34
To find USB volume serial number ....................................................................................................... 35
To find USB Device ID ............................................................................................................................ 37
To convert USB Serial number format ................................................................................................. 40
Possible Substring match for Device ID............................................................................................... 41
EventTracker: Removable Media Device Monitoring
3
Overview The USB and removable media are vital part of any enterprise when it comes to data transfer. They have many shapes as flash memory drives, cell phones, cameras, and PDAs that can serve as storage devices. These portable devices are convenient for transfer and storage of large data with or without network access and that too in short time. However, with all these advantages, it has some security vulnerabilities. In modern day enterprise, USB data transfer is the simplest way of Data theft. The chances of data leakage, creation of duplicate documents and illegal data transfer etc has also increased.
As a SIEM solution, EventTracker not only has the ability to monitor the USB or removable media device communications, but it also can identify the trusted USB and other devices. You can define the unique identifier number of the USB so that the device will not be disabled upon insertion, and can access the information from system.
EventTracker Monitoring Features Reports insertion / removal of the removable device
EventTracker will log every activity of the USB or other removable media device like plug-in, plug-out, or data transfer etc. A complete audit trail that consists of the user, device type, serial number, time and all the file activities are captured, and sent as an event to the EventTracker Console for processing.
Prevents unauthorized access and reports the intrusion in real time Every time an USB is inserted, the EventTracker agent looks at USB exception list, and if there is no violation of policy, permits access to the device, while logging the insert activity. If a violation of policy is detected, access is prevented and the violation is immediately sent to the EventTracker Console. At this point if access is permitted, EventTracker also begins to monitor all the activities on the device, and every file that is written to or deleted from the device is recorded.
Restricts Access EventTracker can restrict access to all the USB Devices on a particular system, and also can exempt the specified USB devices from monitoring which are added in the USB Exception list.
EventTracker: Removable Media Device Monitoring
4
Protects the system from malware EventTracker can disable the USB or other removable media device upon insertion, and thus safeguards the network from viruses and Trojans.
Logging USB device communication For the security and compliance purpose, EventTracker logs the USB communication in detail as incidents.
Figure 1: Event Properties
Get Alert notification In EventTracker, user can configure alerts to receive the notification upon removable media activities.
Example: EventTracker: USB device disabled, Media Insert alert etc.
EventTracker: Removable Media Device Monitoring
5
Figure 2: Alert Configuration
Media Insertion Report EventTracker has a provision to configure the reports to analyze the removable media device activities. These reports are helpful to find unauthorized access to the systems. To configure the USB device report, open EventTracker Enterprise >> Click Operations menu >> Click Reports tab >> In the Report Tree, click USB Device Report node.
Figure 3: Reports
EventTracker: Removable Media Device Monitoring
6
Implement Monitoring Removable Media Feature in EventTracker v7.1
1. When a USB device is plugged in or a media is inserted to the CD/DVD drive, Windows sends media insertion notification with the drive letter/name to the EventTracker Windows Agent.
2. Upon receiving the notification, EventTracker Windows Agent launches USBTracker.exe with drive details. USBTracker.exe is an EventTracker utility that monitors removable media file changes activities.
3. USBTracker.exe generates event 3239 and starts monitoring all activities (files added/modified/deleted/copied) that happen on the removable media.
4. When USB device is unplugged or media is ejected, Windows sends media removal notification to the USBTracker.exe.
5. Upon receiving the notification, USBTracker.exe stops monitoring, generates event 3240 with details on all activities and exits.
NOTE:
This feature is supported for Windows only (Win XP, Vista, 2K3, 2K8, and Win 7) and requires EventTracker Agent to be installed and configured.
Monitor CDW/DVD Burning Activities Windows XP, 2003, 2008, Vista, Win7 has built-in CD recorder feature that lets you drag and drop files using Windows Explorer to write files to a CD. Before burning the CD, Windows buffers the files in ‘staging area’. Staging area is a hidden folder that is usually "Drive_letter:\Documents and Settings\Username\Local Settings\Application Data\Microsoft\CD Burning ".
By monitoring the staging area for the list of files being queued up for writing, you can unravel rather a disquieting puzzle who? when? and what?
Monitor CD-ROM Activities Windows copies the files copied from CD-ROM (CTRL + C or mouse right-click) to the clipboard. By monitoring the clipboard you can keep tabs on the file copy activity.
EventTracker: Removable Media Device Monitoring
7
Configure EventTracker Agent to Monitor Removable Media
1. Click the Admin drop-down list and then click Windows Agent Config. 2. Select the system from the Select system drop-down list. 3. Click the System Monitor tab.
Report insert / remove check box is selected by default. Leave as it is. 4. Select the Record activity check box under USB and Other Device Changes.
This enables monitoring all removable media (USB, CD-R, CD-RW, and DVD) on the managed system.
5. Click Save.
Figure 4
Disable USB Drives This option helps you altogether block USB devices. You can only disable USB drives and not CDROM.
1. Select the Disable USB devices check box under USB and Other Device Changes. 2. Click Save on the System Monitoring page.
EventTracker blocks all USB devices.
EventTracker: Removable Media Device Monitoring
8
Exempt Authorized USB Drives This option helps you restrict users use only authorized USB devices.
1. Click USB Exception List. EventTracker enables this button only when you select the Disable USB devices check box. EventTracker displays the USB Exception List pop-up window.
2. Select an appropriate Format option. 3. Type the serial number in the Enter USB Serial number field. 4. Click Add.
EventTracker adds the serial number to the USB Serial Numbers list.
Figure 5
5. Click Save & Close. 6. Click Save on the System Monitoring page.
EventTracker: Removable Media Device Monitoring
9
Configure Device Monitoring Alerts Configure Alerts to receive notifications. You can also view these Alert events on the Alerts Dashboard.
Import and Configure CD-DVD Monitoring Alert To configure CD-DVD Monitoring Alert, do the following
a. Log on to EventTracker. b. Click the Admin drop-down list and then click Alerts. c. Locate the EventTracker CD-DVD Monitoring Alert. d. Select severity of threat from the Threat Level drop-down list. e. Select the check box under Active, if not selected. f. Set appropriate Alert actions to receive notifications. g. Click OK on the message box.
Figure 6
EventTracker: Removable Media Device Monitoring
10
Configure USB Device Monitor Alerts 1. Click the Admin drop-down list and then click Alerts. 2. Locate the EventTracker: USB device disabled & Media insert alert Alerts. 3. Select severity of threat from the Threat Level drop-down list. 4. Select the check box under Active, if not selected. 5. Set appropriate Alert actions to receive notifications. 6. Click OK on the message box.
Figure 7
EventTracker: Removable Media Device Monitoring
11
Figure 8
EventTracker Device Monitoring Categories To view Categories, click the Admin drop-down list and then click Category.
Category: EventTracker: USB device disabled
Description: All events logged by EventTracker when it disables unauthorized USB device, which is not in the exception list. Event Id: 3242.
EventTracker: Removable Media Device Monitoring
12
Figure 9
Category: EventTracker: USB or other device monitoring
Description: All events logged by EventTracker while monitoring USB, CD, and DVD device or media insertion and removal. Event Id: 3228, 3229, 3239, 3240.
Figure 10
EventTracker: Removable Media Device Monitoring
13
EventTracker Device Monitoring Reports
Category Reports Operations -> Reports -> EventTracker: USB device disabled
EventTracker Agent for Windows can be configured to disable USB device. If this feature is enabled, this report provides information on disabled devices across selected computers for the chosen time period.
Usage: This feature should be enabled for both Servers and Workstations. This report is useful to track unauthorized usage of USB devices.
Figure 11
Figure 12
EventTracker: Removable Media Device Monitoring
14
Operations -> Reports -> EventTracker: USB or other device monitoring
EventTracker Agent for Windows can be configured to monitor insert/removal and files added/modified/deleted/copied to and from removable media. If this feature is enabled, this report provides information on those activities across selected computers for the chosen time period.
Usage: This report must be run and reviewed regularly for all critical servers and workstations.
Figure 13
Figure 14
EventTracker: Removable Media Device Monitoring
15
Custom Reports Operations -> Reports -> USB Device Disabled Report
This report provides information on disabled USB device across selected computers for the chosen time period.
Usage: This report would be useful when you are looking for a quick report on disabled USB devices.
Figure 15
Operations -> Reports -> USB Device Report -> USB Device Report Detail
This report provides detailed information on the files added/modified/deleted to USB device. It can be tuned by applying Refine or Filter criteria, systems, and time period.
Usage: This report is usually run during a detailed investigation phase, as needed.
Figure 16
Operations -> Reports -> USB Device Report -> USB Device Report Summary
This report provides summary information on the files added/modified/deleted to USB device. Charts are included per system per activity top 10 USB devices sorted by top 5 users.
Usage: This report would be useful when you are looking for a quick report for the files added/modified/deleted/copied to and from USB devices.
EventTracker: Removable Media Device Monitoring
16
Figure 17
EventTracker: Removable Media Device Monitoring
17
EventTracker Generated Events
Media Type: CD/DVD Recorder Drive Monitoring started event [3239]
Figure 18
Description:
Drive Monitoring started for E:\
Volume Label: NW65OS
Volume Serial No: 3700563404
Volume ID: \\?\Volume{c40a164e-b680-11df-affc-806d6172696f}\
Type: CD - ROM
File System: CDFS
EventTracker: Removable Media Device Monitoring
18
Network Volume: No
Description: Change affects media in drive.
Console User: TOONS\shibu
Active Users: TOONS\shibu
Drive Monitoring stopped [3240]
Figure 19
Description:
Drive Monitoring stopped for E:\
Volume Label: NW65OS
Volume Serial No: 3700563404
EventTracker: Removable Media Device Monitoring
19
Volume ID: \\?\Volume{c40a164e-b680-11df-affc-806d6172696f}\
Type: CD - ROM
File System: CDFS
Network Volume: No
Description: Change affects media in drive.
Console User: TOONS\shibu
Active Users: TOONS\shibu
Recorder status:
Ejected without writing.
Files copied by user: TOONS\shibu
GetProcessID.obj|Added|10/27/2010 02:35:00 PM
IMAPITools.obj|Added|10/27/2010 02:35:00 PM
StdAfx.obj|Added|10/27/2010 02:35:00 PM
USBTracker.obj|Added|10/27/2010 02:35:00 PM
Files copied to clipboard:
E:\READ_ME.TXT|10/27/2010 02:35:04 PM
E:\READ_ME.HTM|10/27/2010 02:35:04 PM
E:\READ_ME.TXT|10/27/2010 02:35:14 PM
E:\READ_ME.HTM|10/27/2010 02:35:14 PM
If files are queued in the staging area and the media was ejected without writing prior to current burning session EventTracker tracks those files too as shown in the following text highlighted in blue.
Description:
Drive Monitoring stopped for E:\
Volume Label: NW65OS
EventTracker: Removable Media Device Monitoring
20
Volume Serial No: 3700563404
Volume ID: \\?\Volume{c40a164e-b680-11df-affc-806d6172696f}\
Type: CD - ROM
File System: CDFS
Network Volume: No
Description: Change affects media in drive.
Console User: TOONS\shibu
Active Users: TOONS\shibu
Recorder status:
Started writing.
Files copied by user: TOONS\shibu
MyDB.mdb|Existing|10/26/2010 02:48:31 PM
MyPict.bmp|Existing|10/26/2010 02:48:38 PM
MySound.wav|Existing|10/26/2010 02:48:43 PM
GetProcessID.obj|Added|10/27/2010 02:35:00 PM
IMAPITools.obj|Added|10/27/2010 02:35:00 PM
StdAfx.obj|Added|10/27/2010 02:35:00 PM
USBTracker.obj|Added|10/27/2010 02:35:00 PM
Files copied to clipboard:
E:\READ_ME.TXT|10/27/2010 02:35:04 PM
E:\READ_ME.HTM|10/27/2010 02:35:04 PM
E:\READ_ME.TXT|10/27/2010 02:35:14 PM
E:\READ_ME.HTM|10/27/2010 02:35:14 PM
EventTracker: Removable Media Device Monitoring
21
Media Type: CD-ROM Detected new drive event [3228]
Figure 20
Description:
Detected new media in drive <E:>
Volume Label: NW65OS
Volume Serial No: 3700563404
Volume ID: \\?\Volume{e4694682-12ca-11dd-a32c-806d6172696f}\
Type: CD - ROM
File System: CDFS
Network Volume: No
EventTracker: Removable Media Device Monitoring
22
Description: Change affects media in drive.
Drive Monitoring started event [3239]
Figure 21
Description:
Drive Monitoring started for E:\
Volume Label: NW65OS
Volume Serial No: 3700563404
Volume ID: \\?\Volume{e4694682-12ca-11dd-a32c-806d6172696f}\
Type: CD - ROM
File System: CDFS
EventTracker: Removable Media Device Monitoring
23
Network Volume: No
Description: Change affects media in drive.
Console User: TOONS\kalyani
Active Users: TOONS\kalyani
Drive Monitoring stopped event [3240]
Figure 22
Description:
Drive Monitoring stopped for E:\
Volume Label: NW65OS
Volume Serial No: 3700563404
Volume ID: \\?\Volume{e4694682-12ca-11dd-a32c-806d6172696f}\
EventTracker: Removable Media Device Monitoring
24
Type: CD - ROM
File System: CDFS
Network Volume: No
Description: Change affects media in drive.
Console User: TOONS\kalyani
Active Users: TOONS\kalyani
Recorder status:
Unknown
Files copied to clipboard:
E:\TOOLS|10/28/2010 11:24:38 AM
Media from drive removed event [3229]
Figure 23
EventTracker: Removable Media Device Monitoring
25
Description:
Media from drive <E:> removed.
Network Volume: No
Description: Change affects media in drive.
Media Type: Removable (USB) Detected new drive event [3228]
Figure 24
Description:
Detected new drive <F:>
Volume Label: PNPL2
EventTracker: Removable Media Device Monitoring
26
Volume Serial No: 3334027000
Volume ID: \\?\Volume{cbb79a4d-b006-11df-ab88-0015586a1e0a}\
Type: Removable
File System: FAT32
Network Volume: No
Description: Change affects physical device or drive.
USB Monitoring started event [3239]
Figure 25
Description:
USB Monitoring started for F:\
EventTracker: Removable Media Device Monitoring
27
Volume Label: PNPL2
Volume Serial No: 3334027000
Volume ID: \\?\Volume{cbb79a4d-b006-11df-ab88-0015586a1e0a}\
Type: Removable
File System: FAT32
Network Volume: No
Description: Change affects physical device or drive.
Console User: TOONS\kalyani
Active Users: TOONS\kalyani
USB Monitoring stopped event [3240]
Figure 26
EventTracker: Removable Media Device Monitoring
28
Description:
USB Monitoring stopped for F:\
Volume Label: PNPL2
Volume Serial No: 3334027000
Volume ID: \\?\Volume{cbb79a4d-b006-11df-ab88-0015586a1e0a}\
Type: Removable
File System: FAT32
Network Volume: No
Description: Change affects physical device or drive.
Console User: TOONS\kalyani
Active Users: TOONS\kalyani
No files added or modified or deleted
If files have been added/modified/deleted, the description contains file details as shown below.
Description:
USB Monitoring stopped for F:\
Volume Label: PNPL2
Volume Serial No: 3334027000
Volume ID: \\?\Volume{cbb79a4d-b006-
11df-ab88-0015586a1e0a}\
Type: Removable
File System: FAT32
Network Volume: No
Description: Change affects physical device or drive.
Console User: TOONS\kalyani
EventTracker: Removable Media Device Monitoring
29
Active Users: TOONS\kalyani
Added EventLoggingInformation.xls 10/27/2010 12:01:18 PM
Modified EventLoggingInformation.xls 10/27/2010 12:01:18 PM
Added err_gde.pdf 10/27/2010 12:01:18 PM
Deleted EventLoggingInformation.xls 10/27/2010 12:02:23 PM
Deleted err_gde.pdf 10/27/2010 12:02:47 PM
Drive removed event [3229]
Figure 27
Description:
Drive <F:> removed
EventTracker: Removable Media Device Monitoring
30
Network Volume: No
Description: Change affects physical device or drive
Media drive is disabled by EventTracker event [3242]
Figure 28
Description:
Media drive <F:> is disabled by EventTracker. Please contact your system administrator.
Volume Label: PNPL2
Volume Serial No: 3334027000
Volume ID: \\?\Volume{cbb79a4d-b006-11df-ab88-0015586a1e0a}\
Type: Removable
EventTracker: Removable Media Device Monitoring
31
File System: FAT32
Network Volume: No
Description: Change affects physical device or drive.
Limitations EventTracker Windows Agent monitors CD/DVD burning activities carried only through the Windows Explorer and does not monitor burning activities done via third party tools such as Nero, Iomega, etc.
EventTracker: Removable Media Device Monitoring
32
EventTracker Configurations for removable device monitoring in v7.2 EventTracker settings options for USB and other device changes
Open EventTracker Control panel, double click EventTracker Agent Configuration, and then click the System Monitor tab.
OR
Open EventTracker Enterprise, click Admin dropdown, and then click Windows Agent Configuration. Click System Monitor tab.
Figure 29: EventTracker Agent Configuration
EventTracker: Removable Media Device Monitoring
33
• Click ‘Report insert/remove’ checkbox: to report the insertion or removal of removable device to the manager.
• Click ‘Record Activity’ checkbox: to keep record of activities like data transfer done by the USB or other removable media device.
• Click ‘Disable USB Device’ checkbox: to block all the USB devices from accessing the system. Enabling this checkbox activates ‘USB Exception List’ button.
NOTE:
While editing USB serial number or device Id, if you do not make any changes and click the Edit Ok/OK button, then EventTracker will display an error message. EventTracker assumes the unchanged number as duplicate entry and therefore do not allow entering the same USB serial number or device ID.
In EventTracker Control panel:
Figure 30
In EventTracker Enterprise Web console:
Figure 31
EventTracker: Removable Media Device Monitoring
34
Define USB exception list In EventTracker, ‘USB Exception list’ can be used to,
Authorize the USB communication to a specific model of USB device, while blocking all other devices.
Allow a single device with a unique identifier (such as serial number), while blocking all the devices from same manufacturer.
Figure 32: USB exception List
• Enter the ‘USB volume serial number’ to authorize data transfer.
• If your device does not have the serial number, then EventTracker also has a provision to define Device ID of the USB. Enter the USB device ID and add the USB to the exception list.
• Do not forget to click Save & Close button to save the changes in the USB serial number or Device ID.
• To update the serial number or Device ID, click the number or ID, and then click the Edit button.
Make appropriate changes and then click the Edit Ok button.
EventTracker: Removable Media Device Monitoring
35
To find USB volume serial number 1. Verify if the USB device is inserted properly on the system.
2. Open My Computer and note the drive letter for the USB device.
3. Open the command prompt and change to the USB drive by typing <drive letter>.
4. Type ”dir” to see the directory listing.
Figure 33: Find the USB serial number in command prompt
5. Note down the volume serial number shown in ‘Hexadecimal’ format.
6. In the USB Exception list window, enter this serial number in Enter USB Volume Serial
number text box.
7. Click the Hex option.
8. Click the Add button to add the serial number.
The output will be seen as below. (Refer Figure 34).
EventTracker: Removable Media Device Monitoring
36
Figure 34
NOTE: In the command prompt, the volume serial number will always be in ‘Hexadecimal’ format. You can convert it into ‘Decimal’ format, if required.
EventTracker: Removable Media Device Monitoring
37
To find USB Device ID 1. Verify if the USB device is inserted properly on the system.
2. Go to Control panel, and click Systems.
OR
Right click on My Computer, and then click Properties.
3. Click the Hardware tab, and then click the Device manager button.
Figure 35: System Properties
4. Under Universal Serial Bus controllers node, an entry for the inserted USB device is shown. (Refer figure 36).
5. Right-click on the USB entry and select Properties.
EventTracker: Removable Media Device Monitoring
38
Figure 36: Computer Management
6. Select Details tab.
Figure 37: USB Mass Storage Device Properties
EventTracker: Removable Media Device Monitoring
39
Device ID Example:
USB\VID_058F&PID_6387\X6G7JFL3 (Transcend USB)
Vendor Identification Number (VID) - VID_058F
Product Identification Number (PID) - PID_6387
Serial Number of the device - X6G7JFL3
7. In the dropdown, - Select Device instance ID for Win 2003, XP based systems. - Select Device Instance path for Vista, Win2008 and Win 7 based systems.
8. Click on the instance id shown in the box and copy by pressing Control + C button on the
keyboard.
9. In the USB Exception list, paste this ID in the Enter USB Device ID text box, and then click
the Add button to add the Device ID.
The output will be seen as below:
Figure 38: USB Exception list
10. Click the Save & Close button.
EventTracker: Removable Media Device Monitoring
40
To convert USB Serial number format You can convert the USB serial number from Hexadecimal to Decimal format, and vice versa.
1. Enter the USB serial format in USB Volume Serial No field.
Figure 39: USB Serial number- Hexadecimal format
2. To convert the number in decimal format, click the Dec option.
Figure 40: USB Serial number- Decimal format
EventTracker automatically converts the number from Hexadecimal to Decimal.
3. To convert the number again in hexadecimal format, click the Hex option.
NOTE: EventTracker will not allow you to enter an invalid number (containing alphabet or signs)
when decimal (Dec) option is selected.
EventTracker: Removable Media Device Monitoring
41
Possible Substring match for Device ID The Disable USB Devices checkbox when clicked, blocks the entry of all the USB devices. However, for the authentic USB devices, we can add its USB serial number or device ID to allow the USB data transfer. Following are the possible substring match for the Device ID to allow more than one device at a time. • To allow devices from a particular vendor: Enter only the VID part like USB\Vid_0781
In this example, 0781 is for SanDisk.
• To allow devices from a particular vendor and a particular product: Enter VID and PID parts like USB\Vid_0781&Pid_5567 In this example, 5567 is for SanDisk Cruzer Blade.
• To allow a particular device from a particular vendor and a particular product:
Enter VID, PID, and device serial number like USB\Vid_0781&Pid_5567\20040203321B6B6256E9
Click here for more details on PID/VID.