Blocking USB storage devices with endpoint protection?

Hi Lothar Kruse,

Thanks for reaching out to the Sophos Community Forum.  

Yes, we do have the feature to block all USB interfaces for storage media and make exemptions for allowing only the selected devices. 

• Go to My Products > Endpoint > Policies to control access.
• Create a Peripheral Control policy. See Create or Edit a Policy.
• Open the policy's Settings tab and configure it as described below. Make sure the policy is turned on.
• In Manage Peripherals, select Control access by peripheral type and add exemptions.

• You could select the peripheral type you want and choose the block option so that all the devices in that peripheral type get blocked. 

• Now, insert the specific USB device that you need to allow in the machine, and under Peripheral Exemptions, 
• Click Add Exemptions.

• You see a list of detected peripherals in the Add Peripheral Exemptions dialog.

• Select the peripheral.

• In the Policy column, you can optionally use the drop-down list to assign a specific access policy to an exempt peripheral.

• In the Enforce By column, you can optionally use the drop-down menu to apply the policy to all peripherals of that model or to ones with the same ID (the list shows you the model and ID).

• Click Add Exemption(s).

Note: When you insert the drive, go to device manager-> device-> properties-> details-> you can see the hardware ID and device instance path. You can compare those with the central options and exclude them using model ID/instance ID. 

Please refer this article for more information on this policy and settings. You can also watch the video, which is embedded in the same link. 

Hi Lothar Kruse,

Thanks for reaching out to the Sophos Community Forum.  

Yes, we do have the feature to block all USB interfaces for storage media and make exemptions for allowing only the selected devices. 

• Go to My Products > Endpoint > Policies to control access.
• Create a Peripheral Control policy. See Create or Edit a Policy.
• Open the policy's Settings tab and configure it as described below. Make sure the policy is turned on.
• In Manage Peripherals, select Control access by peripheral type and add exemptions.

• You could select the peripheral type you want and choose the block option so that all the devices in that peripheral type get blocked. 

• Now, insert the specific USB device that you need to allow in the machine, and under Peripheral Exemptions, 
• Click Add Exemptions.

• You see a list of detected peripherals in the Add Peripheral Exemptions dialog.

• Select the peripheral.

• In the Policy column, you can optionally use the drop-down list to assign a specific access policy to an exempt peripheral.

• In the Enforce By column, you can optionally use the drop-down menu to apply the policy to all peripherals of that model or to ones with the same ID (the list shows you the model and ID).

• Click Add Exemption(s).

Note: When you insert the drive, go to device manager-> device-> properties-> details-> you can see the hardware ID and device instance path. You can compare those with the central options and exclude them using model ID/instance ID. 

Please refer this article for more information on this policy and settings. You can also watch the video, which is embedded in the same link.