USB Device Control

Last updated: 12-10-2023

Overview
With Device Control, you can create USB device policies to gain visibility into and control over USB devices in your environment.

Configure USB device policies to control which USB devices can connect to your Windows hosts.

Review Device Control dashboards to see USB device connections, USB device policy violations, and actions taken automatically by your policies.

Fine-tune your policies with exceptions as needed.

Customize the notification that a user sees when a USB device is blocked or given restricted access.

Device Control is an add-on module for Falcon Insight XDR, Falcon Prevent, or Falcon Pro subscriptions.

Before you begin

You should be familiar with these important concepts:

Falcon's host groups [/documentation/page/f8a0f751/host-and-host-group-management],

policies [/documentation/page/e5c21607/prevention-policy-settings#pf3651d6], and
precedence [/documentation/page/bd0f1c7f/detection-and-prevention-policies#ic6fb2c0]

USB protocol standards for device classes [https://en.wikipedia.org/wiki/USB#Device_classes]

Requirements
Subscription: Device Control (a Falcon Insight XDR or Falcon Prevent add-on)

Sensor support:

Windows: All supported versions of the Falcon sensor for Windows

Note: Device Control is not available on Windows ARM64-based hosts.

macOS: Falcon sensor for macOS version 6.27 and later

Operating system requirements:

Windows: Device control supports all Falcon-supported OSes

macOS: Device control supports Big Sur and later

Reboot requirements:

Windows: Hosts must be rebooted after initially enabling USB Device Control for Falcon to collect USB events

macOS: No reboot requirement

Roles:

Users with these roles can manage USB device policies:

Falcon Administrator

Device Control Manager

Users with these roles can view device connections:

Falcon Security Lead

 Falcon Investigator

Falcon Analyst

Understand USB Device Control

USB Device Control provides visibility as well as blocking and granular control over the device connections in your organization.

Create USB device policies to improve your organization’s security posture:

Apply policies to all devices and hosts and set up exceptions to allow select devices on select hosts.

Grant individual device permissions that range from fully blocking devices to allowing complete functionality.

Configure policies to monitor when you only want to collect data, configure them to enforce when you’re ready for them to take action.

Customize the notification that a user sees when a USB device is blocked or given restricted access.

After you’ve configured your USB device policies and assigned them to hosts, you can monitor USB device connections in the Falcon console. Each time a USB
device attempts to connect to a host, the Falcon sensor logs an event that contains information about the connection attempt:

USB device info: its serial number, device class, vendor description, and more

Host info: its agent ID and hostname

Policy info: action taken in response to the connection attempt (allowed or blocked), the criteria used to match the USB device to a policy setting

Auditing info: the time of the connection attempt

Review USB device connection activity and events to understand how USB devices are used in your organization and fine-tune your USB device policy settings
and exceptions over time to meet your organization’s specific needs.

Limitations (Windows)
Device Control might not function as expected in the following situations.

For Virtual Machines (VM)s such as Citrix and VMWare, global allowlisting is not supported, and as a result incompatible devices should not be used.

Known VID/PID for incompatible devices include (but are not necessarily limited to):

0x19D2 / 0x10D6 ZTE Devices (CD-ROM, 4G Modem)

0x19D2 / 0x1225 ZTE

0x19D2 / 0x1403 ZTE

0x056E / 0x1042 Elecom Numpad M-BL26UBC

0xC1CA / 0x0004 –

0x1FF7 / 0x0F21 CVTE Touchscreen devices (OEM vendor)

0x1FF7 / 0x0F22 CVTE

0x0403 / ( * ) Virtual serial devices using FTDI UART

Using Device Control and Dell Data Protect DDPE can cause errors, including BSODs for the host and is not recommended.

For Virtual Desktop Infrastructures (VDIs) such as Citrix Virtual Apps and Desktop and VMware Horizon, compatibility issues can cause errors, including
BSODs for the client/host, we don't recommend using Device Control in virtualized environments.

Vodafone network dongles or Elecom numpad devices

Device Control does not work on these devices.

USB forwarding technologies such as RemoteFx, RDP: To block devices, you must apply USB device policies on the server, not the client.

Custom/third party USB device stacks or UAS storage drivers such as ASUS USB 3.0 Boost:

USB devices initialized on third party USB stacks aren't blocked by Device Control.On Windows 7 hosts, Device Control can't block USB 3.0
drives.Device Control doesn’t work correctly when DLP applications are active.DLP Applications such as Digital Guardian will cause Device Control
to not function as expected.
 On Windows 7 hosts, Device Control can't block USB 3.0 drives.

Device Control doesn’t work correctly when DLP applications are active.

DLP Applications such as Digital Guardian will cause Device Control to not function as expected,

Windows to Go: Boot disks aren't blocked by Device Control.

Setup
Out of the box, all host groups are assigned to the Default Policy, which is initially configured to allow all USB device connections. Create, configure, and assign a
collection of USB device policies to your hosts to block and allow device connections.

Plan and prepare

Determine what specific device connections need to be allowed on certain hosts in your organization. Identify hosts that should have particularly limited
device connection allowances.

Assign the Device Control Manager role to additional Falcon users who need to be able to create and configure USB device policies.

Understand the risk of potentially blocking all USB device connections. Falcon USB Device Control grants you flexibility and control to create and
configure policies. Be aware that this includes the ability to create and assign policies that could block essential USB device connections. Configuring the
Default Policy to Monitor only or Off is a helpful safeguard. This ensures that the catch-all policy for hosts that are not specifically added to any other USB
device policies won’t have any blocking actions taken on them.

Determine whether the default notification message for a blocked or access restricted device is appropriate for your organization. Write custom
notification messages per policy, as necessary.

Configure USB device policies

Create [/documentation/page/a0f90068/usb-device-control#a1a517d9] and configure [/documentation/page/a0f90068/usb-device-control#o7b7fc14] the
USB device policies you need.

Assign host groups [/documentation/page/a0f90068/usb-device-control#h30f5d49] to your USB device policies.

Enable the policies [/documentation/page/a0f90068/usb-device-control#qd97b35d].

Test USB device policies

USB Device Control testing can be done by using a test group of hosts or configuring USB device policies to Monitor only, or a combination of the two approaches.

Going live
The process of going live depends on how you did your testing.

If you limit your testing to a test group of hosts, you’ll need to add the rest of your host groups to your USB device policies as needed.

If you perform your testing by configuring your USB device policies to Monitor only and observing the device connections, going live will involve updating some of
your policies to Monitor and enforce as needed.

Manage USB device policies

The settings within a USB device policy determine whether a USB device of a given device class - or any class - is allowed to connect to a host. Within each class,
you can set exceptions: more specific configurations that override the general policy setting.

At the policy level, USB Device policies have these policy mode options:

Monitor and enforce: Takes action on USB devices based on your policy settings: blocking or allowing the USB device connection and displaying default or
custom notification messages.

Monitor only: Records the USB device connection and the action defined by your policy setting, but doesn’t enforce restrictions on assigned hosts. This
mode is intended to help you test your policy behavior without disrupting users in your environment.
 Off (macOS only): Has no USB device visibility, so doesn’t track violations or enforce restrictions.

View USB device policies

Go to Endpoint security > USB device control > Policies to manage your organization’s USB Device Control policies.

Create a USB device policy

When you create a USB device policy, you set broad rules that allow or block USB devices based on their USB device class. For example, you might create a policy
to block USB storage drives, but permit access for other classes of USB devices.

Later, you can create more specific exceptions [/documentation/page/a0f90068/usb-device-control#rea3b5f9] to the broad rules defined by a policy.

1. Go to Endpoint security > USB device control > Policies [/configuration/usb-device/policies].

2. Click Create policy.

3. Enter a name and optional description for your policy.

4. Click Create policy.

Configure USB device control policy settings

Configure policy permissions

1. Set the policy mode to on of the following options:

Monitor

Monitor and Enforce

Off (macOS only)

2. Click any USB device class to configure policy settings for that class:

Audio / Video (headsets, microphones, speakers, and webcams)

Imaging (Digital cameras)

Mass storage (Flash drives, hard drives, SD card readers)

Mobile (MTP/PTP) (Mobile phones and tablets)

Printer (Printers)

Wireless (Bluetooth devices; not Wi-Fi adapters)

When a device does not belong to any of the device classes listed above, the device goes into the Any class class. By default, devices in
this class have Full access permissions and are allowed to function. To control the permissions level for such a device, add an exception
to the Any class class for the device. See Set Exceptions to Your Policy [/documentation/page/a0f90068/usb-device-control#rea3b5f9].

3. Select the level of access for devices of that class:

Full access (or Read, write and execute, for the Mass Storage class)

Full block

Read and write only (applies only to the Mass Storage class)

Read only (applies only to the Mass Storage class)

 4. Optional. Click Add exception and follow the instructions to add an exception to this policy. See
Configure policy exceptions. [/documentation/page/a0f90068/usb-device-control#rea3b5f9]

5. Optional. Click to disable Enhanced file metadata collection.

6. Optional. Click to disable End-user notifications.

7. Click Save.

8. Then click Save to confirm.

Configure policy exceptions

Create exceptions to override the standard behavior of a policy. Exceptions are based on:

USB device's vendor ID (VID)

product ID (PID)

serial number

For example, you might create a policy that blocks all USB mass storage devices, then create exceptions for the specific USB devices that are issued and approved
by your organization.

It's possible to set a class's exception permissions to the same behavior as the class's permissions. If the class's permissions are changed in the future, the
exception's permissions remain the same.

Make an exclusion temporary

Temporary exceptions expire at a scheduled end date and time and are then automatically deleted from the policy. Temporary exceptions are scheduled in UTC
time. The date and time set is when the channel file update is sent to the sensor to remove the exception. Depending on your policy update settings, it might take
some time before an expired exception is no longer in effect.

Note: When viewing policy exceptions, the End time column that shows a temporary exception’s expiration date and time is not visible in the table by
default. You can enable the column header from the Toggle table column menu in the upper-right corner of the table.
Use wildcards to include multiple USB devices

If your serial numbers follow a predictable pattern, you can use a wildcard value to add multiple devices to a policy exception and reduce the total number of
exceptions you’ll need to create. To enable the use of glob wildcards and match patterns in text strings, select the Manual Entry option.

Note: There is a limit of 15,000 exceptions per policy. We recommend reducing your exception count by using wildcard serial numbers whenever
possible.
Alternatively, you can streamline the process of adding multiple individual exceptions at once by selecting Let me add multiple exceptions without leaving this
page. This causes the Manual Entry option to clear the Serial number field but keeps all other information.

You can create exceptions at the class level or an individual event level:

Class level

1. Go to Endpoint security > USB device control > Policies > Settings.

2. Click to select a USB device class that you’d like to add the exception to.

3. Click Add Exception.

Individual event level

1. Go to Endpoint security > USB device control > Activity dashboard.

2. Select a USB device class, or select Any class, to view the exceptions in that class.

3. Click Add Exception.

Choose whether to create the exception using a USB device's Combined ID or Manual Entry, and then follow the corresponding steps.

Combined ID

1. Go to Endpoint security > USB device control > Activity.

2. Copy the combined ID value of the USB device you want to add an exception for.

3. Go to Endpoint security > USB device control > Policies and select the policy to add an exception to.
 4. Click Add exception and paste the combined ID value in the Combined ID field.

5. Select the Device Class for this exception.

6. Select the permissions for this exception.

7. Optional. Enter a description.

8. Optional. Select Make temporary exception and enter a future end date and time.

Note: The times displayed are in UTC.

9. Click Add exception.

10. Click Save.

11. Then click Save to confirm.

Manual Entry

Tip: The default format for Vendor ID or Product ID is decimal (0 to 65535). If you enter a hexadecimal value beginning with 0x (0x0 to 0xFFFF), the
Falcon console automatically converts it to decimal format.

1. Go to Endpoint security > USB device control > Policies and select the policy to add an exception to.

2. Click Add exception.

3. Enter the Vendor ID and Vendor Name.

4. If available, enter a Product ID and Product Name.

5. Optional. To allow the use of wildcards in serial numbers, select Allow wildcards.

Note: This feature is available for macOS and Windows sensor 6.56 and later.

6. Enter a Serial Number or, use a wildcard value using glob syntax to include a block of serial numbers. Accepted glob syntax include *, ?, and []. To escape a
wildcard character, add square brackets around the character you’d like to escape, for example [*]. For more info, see
Glob Syntax [/documentation/page/e2e4b1b4/glob-syntax].

7. Optional. Enter a sample serial number value in the Serial Number for Glob Pattern Test field and click Test to confirm that the wildcard works as
expected.

8. Select the Device Class for this exception.

9. Select the permissions for this exception.

10. Optional. Enter a description.

11. Click Add exception.

12. Click Save.

13. Then click Save to confirm.

Exceptions are applied according to the following precedence from highest to lowest:

1. Includes Vendor ID, Product ID, and Serial number

2. Includes only Vendor ID and Product ID

3. Includes Vendor ID and a specific device class

4. Vendor ID only

5. Device class only

Note: When you use Manual Entry, exceptions that include more information automatically override exceptions that contain less information.

Edit a device control policy

1. Go to Endpoint security > USB device control > Policies.

2. Click to open the policy you want to edit.

 3. Make the desired changes.

4. Click Save.

Assign a device control policy to host groups

After you've created a policy and exceptions, you're ready to assign your USB device policy to a group. Assigning a USB device policy works the same as assigning
other types of policies.

1. Go to Endpoint security > USB device control > Policies.

2. Click the policy you want to assign to a group.

3. Go to the Assigned Host Groups tab.

4. Click Assign groups to policy.

5. Select one or more groups.

6. Click Assign groups.

Windows

USB device policies take effect when a USB device is connected to a host. If a host has USB devices connected when you assign a policy, those devices aren't
affected until the next time they're reconnected or the next time the host reboots.

macOS

USB device policies take effect when a USB device is connected to a host. If a host has USB devices connected when you assign a policy, the policy will take effect
immediately, meaning that if the policy blocks that USB device, it will be disconnected.

Enable or disable a USB device policy

A policy must be enabled for its settings to take effect on assigned hosts. When a USB device policy is disabled, hosts adopt the settings and rules from the next
policy they are assigned to according to policy precedence [/documentation/page/a0f90068/usb-device-control#nbf4d25f].

To enable or disable a policy:

1. Go to Endpoint security > USB device control > Policies.

2. Click to open the policy.

3. On the Policy Details page, click to select Enable policy or Disable policy.

4. Then click Enable policy or Disable policy to confirm.

Default USB device policy

Throughout Falcon policies, the Default Policy is the last policy in the order of precedence [/documentation/page/a0f90068/usb-device-control#nbf4d25f]. It
cannot be disabled, and is applied to all hosts that aren’t assigned to another enabled policy. Configure your Default Policy to be a safe catch-all that you’re
comfortable applying to any of your organization’s hosts.

Default configuration
Windows:

Policy mode: Monitor and enforce

Device settings: All set to Full access

macOS:

Policy mode: Off

Device settings: All set to Full Access

Each host can belong to one or more host groups. Host groups can be assigned one or more policies. With dynamic groups, a newly-installed sensor inherits the
relevant groups and applies the policy with highest precedence to the host. This provides the host with its initial policy settings.
If a host is not a part of any groups, or its groups have no policies assigned, it is automatically assigned to the default policy.

USB device policy precedence

Like other Falcon policies, USB device policies are processed according to precedence (sequential order) on the hosts they’re assigned to, so it’s important to
consider this when configuring your organization’s USB device policies.

Policy precedence determines which policy's settings are applied to a host when the host is a member of more than one policy. Define policies with different
precedences to resolve conflicts. Then, when faced with a conflict, the cloud will automatically apply the policy with the higher precedence (1 being higher than 2,
which is higher than 3, and so on).

On a host, the policy with the highest ranking precedence (1 being highest) is applied and active. If something changes with that highest-ranking policy, for
example if it gets disabled, then the next highest-ranking policy gets applied and becomes active.

Reorder policy precedence on the USB Device Policies page

1. Go to Endpoint security > USB Device Control > Policies.

2. Click Edit precedence.

3. To reorder the policies, use the arrows in the precedence column to drag a policy up or down.

4. Click Save.

Delete a device control policy

1. Go to Endpoint security > USB Device Control > Policies.

2. Click to open the policy you want to delete.

3. If the policy is enabled, click Disable policy.

4. Then click Disable policy to confirm.

5. Click Delete policy.

6. Then click Delete policy to confirm.

Monitor USB Device Connections

After you set up your USB device policies, use the Falcon console’s Device Control dashboards to review USB connection events in your environment. Depending
on which Device Control subscription you have, you'll find your Device Control dashboards in a different part of the Falcon console:

If you have Device Control with Falcon Pro or Falcon Prevent, go to

Endpoint security > USB device control > Activity [/activity/usb-device-control/usb-device-usage].

If you have Device Control with Falcon Insight XDR, go to

Endpoint security > USB device control > USB device usage [/investigate/events/en-US/app/devicecontrol/dc__deviceusage].

USB Device Control Activity Dashboard

If you have Device Control with Falcon Prevent or Falcon Pro go to
Endpoint security > USB device control > Activity. [/activity/usb-device-control/usb-device-usage]

Note: This Device Control dashboard only shows instances of USB devices connecting to hosts. It doesn’t track other user or system actions, such as
file transfers.
Here you can see all instances of USB devices connecting to your hosts, including details about:

The USB device, such as its device name, vendor name, and IDs

The specific host it attempted to connect to, including whether the connection was allowed or blocked

The USB device policy that defined whether the connection was allowed or blocked - and you can create policy exceptions here without returning to
Endpoint security > USB device control > Policies
Filter USB device events
By default, Endpoint security > USB device control > USB device usage shows all instances of USB devices connecting to your hosts. You can filter these events
with the filter bar at the top.

Filter Option Description

Enforce: view events associated with policies set to Monitor and Enforce mode
Policy mode
Monitor only: view events associated with policies set to Monitor only mode

A value of N/A indicates that the USB device was allowed to connect (the Full access permission).

View events that resulted in a selected action, based on the Permission setting in your USB device policy. Read only and Read and write
Permissions
only appear only for devices with the mass storage USB device class.

View events associated with a specific USB device policy.

Policy name
A value of N/A indicates that the USB device was allowed to connect (the Full access permission).

Device class The USB device class of the device. This is set by the device manufacturer.

Vendor name The manufacturer of the USB device. This is set by the device manufacturer.

Product
The product name for the device. This is set by the device manufacturer.
name

Event type View whether the device was connected or blocked.

 Filter Option Description

Event time The time the USB device attempted to connect. This time is recorded in UTC but displayed according to your user profile’s time setting.

Investigate USB Device Control

Discover information on USB devices in your environment at
Endpoint security > USB Device Control > USB device usage [/investigate/events/en-US/app/devicecontrol/dc__deviceusage]. If you have Device Control with
Falcon Pro or Falcon Prevent without Insight, go to Endpoint security > USB device control > Activity [/activity/usb-device-control/usb-device-usage].

You'll also use this information when you create exceptions in USB device policies. When creating exceptions, you identify USB devices by their vendor IDs (VIDs),
product IDs (PIDs), and serial numbers. We recommend using the USB device dashboards to get accurate information, but you can also use another source of USB
devices' VIDs, PIDs, and serial numbers.

Tip: To download any of these dashboards, click its export icon.

USB Device Usage

The USB Device Usage dashboard shows all USB device activity in your environment.

You can narrow your search by entering a serial number, vendor name, device class, product name, or company. Depending on the size of your environment,
changing the Time Range can result in a search that takes some time to complete.

Note: This search feature doesn’t support wildcard serial numbers.

Device Usage by Host
The Device Usage by Host dashboard shows device usage for a single host. Enter a hostname in the Host Name field to view its history.

Device Blocks
The Device Blocks dashboard shows instances of USB devices that were blocked by a USB device policy set to Full Block on any host in your environment.
Instances of mass storage devices using policies set to Read only or Read and write only aren't included. This dashboard helps you determine whether your USB
device policies are blocking devices as intended.

You can narrow your search by entering a serial number, vendor name, product name, or company. Depending on the size of your environment, changing the Time
Range can result in a search that takes some time to complete.

Note: This search feature doesn’t support wildcard serial numbers.

Monitoring Policy Dashboard
The Monitoring Policy dashboard shows instances of USB devices that match a USB device policy set to Monitor only. These USB devices were allowed to connect
to a host, but if your policy were set to Monitor and enforce, they would have been blocked. This dashboard helps you test a USB device policy without affecting
users and hosts.

You can narrow your search by entering a serial number, vendor name, product name, or company. Depending on the size of your environment, changing the Time
Range can result in a search that takes some time to complete.

Note: This search feature doesn’t support wildcard serial numbers.

Files written to USB Device Dashboard

Available to Falcon Prevent and Falcon Insight XDR customers with Device Control, the Files written to USB dashboard provides detailed information about file
activity with contextual metadata that enables you to investigate potential data exfiltration events. File written data is retained for 30 days.

To enable this feature, go to Endpoint security > USB device control > Policies and turn on Enhanced file metadata collection.

Note: Enabling the Enhanced file metadata collection feature initiates three Falcon sensor servlet containers on managed hosts. We recommend
testing the feature within your environment before enabling it on hosts with very high I/O workloads.
Sensor support:

Windows: Falcon sensor for Windows version 6.50 and later

To view the Files written to USB dashboard, go to Endpoint security > USB Device Control > Files written to USB.

Filter option Description

Date Written Date and time the file write event

 Filter option Description

Filename Full name of file written

Given File Extension Extension for file written

Identified file type File type based on file structure and content analysis

Identified file category Identified file category such as archive, document, and multimedia

Host filepath The full source file path detected on the managed host

USB device USB device type

Combined ID USB device unique identifier

Username Identified user attached to the file write event

Hostname Name of the host where the file write event was observed

Note: There might be a short delay in the availability of file provenance data for new files transferred onto removable media.
Use the search feature to narrow your results. Search by computer name, username, file path or name, file type, or company. Depending on the size of your
environment, changing the time range can impact how quickly results are displayed.

Click an event in the dashboard to view more detailed information.

Detailed view Information included

Falcon sensor creates a unique session ID based on when the removable storage device was inserted.

files and data written during the session

Related USB
date and time of the first file written
session
date and time of the last file written

Select View full session to show all files covered by the USB session.

File
file size

given file extension

identified file type

identified file category

SHA25
Detailed view Information included

application writing the file

Microsoft Purview sensitivity label

Note: File source information is available for files under the C:\Users\ directory, which typically incorporates the library folders for
all users.

This information is shown instead of file details when an archive file type is detected.

filename

file size

number of files in the archive

given file extension

Archive identified file type

identified file category

SHA256

application writing the file

Microsoft Purview sensitivity label

Select View filenames, to view more details about individual files contained in the archive. You can export these details to a CSV file.

device type

date and time device first seen

USB device device class

vendor

device serial number and combined ID

username

user ID

logon type
User
logon time

logon server

logon domain

Host
operating system

IP address

local IP address

host ID

sensor version
 Detailed view Information included

containment status

Note: Archive file introspection for ZIP files is limited to the first 100MB of the ZIP file. If the archive includes more than 50 files, only the top 50 files,
prioritized by file type and size, are scanned. File names might not be available for some password protected ZIP files.

Files Written to USB Overview

The Files Written to USB Overview dashboard shows files that have been written to removable devices. This dashboard helps you identify the specific files being
written from a host. Use the File Type drop down to narrow your results. File types visible for the Files Written to USB Overview dashboard include:

File Category File Type

7Zip

ARC

ARJ

BZ2

CAB

DEB

File Archive GZIP

JAR

RAR

RPM

TAR

XAR

ZIP

Document
DOCX

MS DOCX

MS PPTX

MS XLSX

MSVSDX

OLE

OOXML

PDF

PPTX

RTF

VSDX
File Category File Type

XLSX

DWG

Design DXF

IDW

BMP

GIF

Multimedia JPEG

PNG

TIFF

Source Code SCRIPT

CAB

CLASS

ELF
Executable
MACHO

MSI

PE

VDI
Virtual Machine
VMDK

EMAIL

EMAILARC

EML
Email
MSG

OST

PST
 File Category File Type

BLF

Data and Logs DMP

ESE

Other DMGLNK

You can narrow your search by entering a computer name, user name, file path or name, file type, or company. Depending on the size of your environment,
changing the time range can result in a search that takes some time to complete.

Troubleshoot Device Control Settings

If the USB device policy isn't working as expected for a USB device, follow these steps to troubleshoot the issue:

1. Confirm that the host is updated to Windows sensor version 4.7.7002 or later. Confirm it was rebooted after the sensor update.

2. Verify that the host belongs to a group with the USB device policy assigned.

3. Confirm that there isn’t a higher-precedence USB device policy assigned to the host's group.

Note: One (1) is the highest level of precedence.

4. Confirm that the USB device policy is enabled.

5. Confirm that the USB device policy is set to Monitor and enforce.

6. Verify that the USB device policy is configured to allow or deny access correctly for that device's USB device class.

7. Confirm that there aren’t any exceptions which specify different behavior for that USB device class.

8. Confirm that there isn’t a more specific exception applied to the host.

9. Confirm that you entered a combined ID or manual entry in the correct USB device class.

10. If you entered an exception with a combined ID, confirm that the combined ID is correct.

Block USB devices with multiple classes

Some USB devices, such as multi-function printers, have multiple classes. Depending on the specific classes, you can disable some or all of the device's
functionality.

If a multiple-class device has Mass Storage, you can set Mass Storage to Full Block to block only the storage component of the device. Other functions of
the device continue to work normally. For example, if your policy blocks mass storage for a multi-function printer, the printer can't use its SD card storage,
but it can continue to print normally.

If a multiple-class device doesn't have Mass Storage, blocking any of the device's classes completely prevents connections for that device. For example, if
your policy blocks Audio/Video for a USB camera that also has the Imaging class, the camera can't connect using USB in any way.

Vendor name or product name are incorrect

When entering a Vendor Name or Product Name, you might find an entry that corresponds to an incorrect Vendor ID or Product ID. When Falcon looks up vendor
and product names, it checks several third-party lists.

Device Not Supported event type

You might see an event type of Device Not Supported on the USB Device Control dashboard.

This event type means an external device that is potentially incompatible with the Device Control module has been detected. As a result, the Device Control
module can't perform any actions on the device, such as blocking or allowing the device. An associated event however is logged in the Falcon UI for visibility.

Also, the device might run into compatibility issues or other issues and not be able to function correctly. If such an issue occurs, open a Support ticket for further
investigation and possible remediation.

File Types and Execution

When the Mass Storage permission for a USB device is set to Read and write only, non-executable file types such as batch or .msi files can still run. These files call
to OS components like cmd.exe and msiexec.exe, which aren’t controlled by USB Device Control. Mac USB policies that are set to Read and write only, non-
executable the policy only looks for files in the Mach-O format.

Full Disk Access is not enabled (macOS)

When Full Disk Access (FDA) is not enabled, Device Control policies will not behave as expected. For example: if you have Full Block enabled, you will still be able
to access external devices instead of the external device being blocked as intended. This will occur if FDA is not enabled on the endpoint. For information about
the macOS sensor and FDA, see our Falcon Sensor for Mac Deployment Guide. [/documentation/page/e261a9b7/falcon-sensor-for-mac-deployment]

Internal card reader returns multiple events (macOS)

If your host has an internal card reader and you are observing multiple Device Control events for it, this behavior is expected. Detection of the internal card reader
is expected. The multiple events occur because when the internal reader is initialized Device Control will detect the initialization. This can be seen as the same
thing as re-plugging in an external device. This scenario will occur when the endpoint is awoken from sleep mode. When the laptop lid is opened, to wake the
endpoint, the internal reader is re-initialized causing the notifications.

Additional errors
When an external storage device is connected to the host the following pop-up will appear:
This popup is expected and occurs when device permissions are set to Full Block for Mass Storage devices. This occurs because a file system was unable to be
mounted because Device Control imposed restrictions.

When you have Mass Storage permission set to Read Only and you attempt to write to the external storage device, a username/password prompt will appear. After
entering in your credentials the following pop-up will appear:

The username/password prompt and the follow-up pop-up is expected behavior for some applications. If the application is unable to write with the current user
credentials, it will request alternative user credentials. This behavior is not controlled by Device Control, it is application specific.
Falcon Firewall Management [/documentation/page/a6e15696/falcon-firewall-management]