Configure Device Control

About Device Control

The Device Control module regulates access to external storage devices that are connected to computers. Device Control helps prevent data leaks and, combined with file scanning, helps guard against security risks.

Device Control's enforcement setting (in a policy or computer's Device Control tab) can be set to three options for each supported device type which from unlimited to restricted is "Full-Access", "Read-Only", and "Block".

Actions against a specific device type will be taken when that type of device is connected to the protected endpoint. If a user's action triggers the violation, Device Control events will be sent to Deep Security Console (in Events & Reports > Events > Device Control Events).

Exceptions can be added to a policy or a computer (in the computer's Device Control tab > Exceptions) to allow for full access for the device even when the action is set to "Read-Only" or "Block".

To enable and configure Device Control, see Set up Device Control.

Device Control protocols

Actions against device type

When Device Control is enabled, each device type is assigned a "protocol," the permissions users have when they access it.

Protocol Read Copy Exclude Write Delete
Full-Access
Read-Only
Block

USB Autorun

Device Control allows you to prevent the execution of USB autorun when a USB device is connected to a computer.

Set up Device Control

  1. Go to Policies. (Alternatively, to enable it on a specific computer, go to the computer's Device Control tab.)
  2. Double-click the policy for which you want to enable Device Control.
  3. Select Device Control > General.
  4. For Device Control State, select On.
  5. Select Save.

Configure protocols

The following table shows available action settings for each device type.

Available setting Description

USB Mass Storage

This feature is supported by Deep Security Agent 20.0.0-4959+ for Windows.

  • Full Access
  • Read Only
  • Block
Configure access policy of USB devices

USB AutoRun Function

  • Allow
  • Block
Allow or block USB device auto run

Mobile (MTP/PTP)

This is not currently supported by the agent for Windows Server Core.

  • Allow
  • Block
Configure access policy of USB mobile device

Configure USB device exceptions

Create new device

To allow access to specific USB devices when USB Mass Storage is set to Block or Read Only, set exception rules.

For each exception rule, type a name, then specify Vendor, Model, and Serial Number.

An access violation will be bypassed if the access matches the Vendor, Model, and Serial Number in exception rules. For information on USB devices, see Excluding USB storage devices and mobile phones in Device Control.

Select existing devices

Existing devices can appear in multiple policies. To include existing devices in a policy, click **Select existing devices in lists** and select the relevant devices.

Device Control event tagging

The events generated by the Device Control module are displayed in the Deep Security console, under Events & Reports > Device Control Events. Event tagging can help you to sort events and determine which events need to be investigated further and which events are legitimate.

You can manually apply tags to events by right-clicking the event and then clicking Add Tag(s). You can choose to apply the tag to only the selected event or to any similar Device Control events.

You can also use the auto-tagging feature to group and label multiple events. To configure this feature in the Deep Security console, go to Events and Reports > Device Control Events > Auto-Tagging > New Trusted Source. There are three sources that you can use to perform the tagging:

  • A Local Trusted Computer.
  • The Trend Micro Certified Safe Software Service.
  • A Trusted Common Baseline, which is a set of file states collected from a group of computers.

For more information on event tagging, see Apply tags to identify and group events.