FAQ

How fast does the agent pick up a policy change?

Default poll interval is 60 seconds. Configurable per agent via PolicyPollIntervalSeconds in agent config. Lower values are fine for dev; production typically stays at 60s. Etag-based conditional GET means a no-op poll is cheap.

What happens to plugged-in devices when policy changes?

On every successful policy fetch the agent runs a "reconciliation" pass — for any device currently plugged in, if the new policy says block (and the agent itself originally allowed it), it disables. If the new policy says allow (and the agent had previously disabled it), it re-enables. No replug needed.

Can users uninstall the agent?

A non-admin user, no — the service ACL prevents stopping the service. A local admin with elevated PowerShell, yes (user-mode limit). Endpoint enrollment drops off the dashboard after the heartbeat timeout, which can trigger an alert.

Does the agent send file contents?

No. The agent reports plug/unplug events with device metadata (VID, PID, serial, friendly name, class). It does not read files from the device.

How much data does the agent send?

Roughly: one event per plug/unplug (~1 KB JSON each). One policy poll every 60 seconds (most are 304s with empty bodies). For a typical office desktop with a few plug/unplug events per day, daily traffic is well under 100 KB.

What about devices on USB hubs?

Each child device on the hub is enumerated separately and evaluated against the policy independently. The hub itself usually shows up as class "USB" and is allowed; downstream devices are evaluated normally.

What if a device reports a fake VID/PID?

The agent matches on what Windows sees in PnP. A device that lies about its VID/PID will match (or not) against the lied-about values. Vendor-name + class fallbacks catch many such cases. The full kernel-mode protections that catch deeper spoofing are v2.

Can I run the dashboard self-hosted?

Not in v1. The agent's SERVER parameter is configurable so a self-hosted cloud control plane is technically possible, but we don't ship docs / installer / infrastructure for it in v1. v1.x or v2 may revisit if there's customer demand.

How does it interact with Windows Defender / EDR?

Cleanly. PermitUSB controls device-level enable/disable; Defender / EDR scan files. They operate at different layers and don't interfere. The agent service is signed and the service binary is registered with a process explorer via standard mechanisms.

What's logged when a device is blocked?

On the agent: an entry in the SQLite event store with timestamp, device fingerprint (VID, PID, serial, name, class), matched rule (or "default block"), and action taken. The cloud receives the same record. The tray app shows a toast notification.

How do I export events?

Dashboard's Events page → "Export." CSV or JSON, honors current filters. For programmatic access, the API exposes /api/events with cursor-based pagination.

FAQ — PermitUSB docs