Configure Device Control
About Device Control
The Device Control module regulates access to external storage devices that are connected to computers. Device Control helps prevent data leaks and, combined with file scanning, helps guard against security risks.
Device Control's enforcement setting (in a policy or computer's Device Control tab) can be set to three options for each supported device type which from unlimited to restricted is "Full-Access", "Read-Only", and "Block".
Actions against a specific device type will be taken when that type of device is connected to the protected endpoint. If a user's action triggers the violation, Device Control events will be sent to Deep Security Console (in Events & Reports > Events > Device Control Events).
Exceptions can be added to a policy or a computer (in the computer's Device Control tab > Exceptions) to allow for full access for the device even when the action is set to "Read-Only" or "Block".
To enable and configure Device Control, see Set up Device Control.
Device Control protocols
Actions against device type
When Device Control is enabled, each device type is assigned a "protocol," the permissions users have when they access it.
Protocol | Read | Copy | Exclude | Write | Delete |
---|---|---|---|---|---|
Full-Access | ✔ | ✔ | ✔ | ✔ | ✔ |
Read-Only | ✔ | ✔ | ✖ | ✖ | ✖ |
Block | ✖ | ✖ | ✖ | ✖ | ✖ |
USB Autorun
Device Control allows you to prevent the execution of USB autorun when a USB device is connected to a computer.
Set up Device Control
- Go to Policies. (Alternatively, to enable it on a specific computer, go to the computer's Device Control tab.)
- Double-click the policy for which you want to enable Device Control.
- Select Device Control > General.
- For Device Control State, select On.
- Select Save.
Configure protocols
The following table shows available action settings for each device type.
Available setting | Description | |
---|---|---|
USB Mass Storage This feature is supported by Deep Security Agent 20.0.0-4959+ for Windows. |
|
Configure access policy of USB devices |
USB AutoRun Function |
|
Allow or block USB device auto run |
Mobile (MTP/PTP) This is not currently supported by the agent for Windows Server Core. |
|
Configure access policy of USB mobile device |
Configure USB device exceptions
Create new device
To allow access to specific USB devices when USB Mass Storage is set to Block or Read Only, set exception rules.
For each exception rule, type a name, then specify Vendor, Model, and Serial Number.
An access violation will be bypassed if the access matches the Vendor, Model, and Serial Number in exception rules. For information on USB devices, see Excluding USB storage devices and mobile phones in Device Control.
Select existing devices
Existing devices can appear in multiple policies. To include existing devices in a policy, click **Select existing devices in lists** and select the relevant devices.
Device Control event tagging
The events generated by the Device Control module are displayed in the Deep Security console, under Events & Reports > Device Control Events. Event tagging can help you to sort events and determine which events need to be investigated further and which events are legitimate.
You can manually apply tags to events by right-clicking the event and then clicking Add Tag(s). You can choose to apply the tag to only the selected event or to any similar Device Control events.
You can also use the auto-tagging feature to group and label multiple events. To configure this feature in the Deep Security console, go to Events and Reports > Device Control Events > Auto-Tagging > New Trusted Source. There are three sources that you can use to perform the tagging:
- A Local Trusted Computer.
- The Trend Micro Certified Safe Software Service.
- A Trusted Common Baseline, which is a set of file states collected from a group of computers.
For more information on event tagging, see Apply tags to identify and group events.