Re: USB Defender

The way that USB Defender works (and all that it does) is log mass storageall device IDs to the Windows Application Event log.  The events look like this:

Log Name:      Application

Source:        TriGeo USB-Defender

Date:          1/31/2017 4:23:20 PM

Event ID:      32004

Task Category: None

Level:        Information

Keywords:      Classic

User:          DOMAIN\username

Computer:      HOSTNAME.domain.com

Description:

USB Device Detached

Device ID: USB\VID_0930&PID_6545\00187D0F56ACEE50D000339D

Serial number: 00187D0F56ACEE50D000339D

Device name: \\?\usb#vid_0930&pid_6545#00187d0f56acee50d000339d#{a5dcbf10-6530-11d2-901f-00c04fb951ed}

Device path: \\?\usb#vid_0930&pid_6545#00187d0f56acee50d000339d#{a5dcbf10-6530-11d2-901f-00c04fb951ed}

Friendly name:

Description: USB Mass Storage Device

Manufacturer: Compatible USB storage device

Device setup class: USB

Setup class guid: {36fc9e60-c465-11cf-8056-444553540000}

Capabilities:

    Lock supported: No

    Eject supported: No

    Removable: Yes

    Dock device: No

    Unique ID: Yes

    Silent install: No

    Raw device ok: No

    Surprise removal ok: Yes

    Hardware disabled: No

    Nondynamic: No

Configurations:

    Disabled: No

    Removed: No

    Manual install: No

    Ignore boot: No

    Net boot: No

    Reinstall: No

    Failed install: No

    Cannot stop a child: No

    Can remove ROM: No

    No remove at exit: No

    Finish install: No

    Needs forced configuration: No

    Partial log configuration: No

Driver software key: {36fc9e60-c465-11cf-8056-444553540000}\0014

Service name: USBSTOR

Device address: 1

Bus number: 0

Bus type guid: {9D7DEBBC-C85D-11D1-9EB4-006008C3A19A}

Device type:

Enumerator name: USB

Legacy bus type: 15

Hardware location:

Physical device object name:

Security descriptor:

Hardware IDs::

    USB\VID_0930&PID_6545&REV_0100

    USB\VID_0930&PID_6545

Compatible IDs:

    USB\Class_08&SubClass_06&Prot_50

    USB\Class_08&SubClass_06

    USB\Class_08

These events are sent to LEM by the LEM Agent, and the LEM looks at the data and matches it to rules and does (or doesn't) take an action depending on how you have it setup.  There is another version of USB Defender connector (the Extended edition) that creates parses these events for every USB device, and then you can have LEM check those events out or run them against USB Defender Local Policy.  You'll need to get that version from Support.