Kaspersky Embedded Systems Security for Linux
3.3.0
English

Contents

Device Control

When the Device Control task is running, Kaspersky Embedded Systems Security manages user access to the devices that are installed on or connected to the client device (for example, hard drives, cameras, or Wi-Fi modules). This lets you protect the client device from infection when external devices are connected, and prevent data loss or leaks. Device Control manages user access to devices using the access rules.

When a device, access to which is denied by the Device Control task, connects to a client device, the application denies the users specified in the rule access to this device and displays a notification. During attempts to read and write on this device, the application silently blocks the users specified in the rule from reading/writing.

Device Control settings

Setting

Description

Enable Device Control

This check box enables or disables Device Control.

The check box is selected by default.

Trusted devices

This group of settings contains the Configure button. Clicking this button opens the Trusted devices window. In this window, you can add a device to a list of trusted devices by the device ID or by selecting it from the list of devices detected on the client devices.

Device Control action

Action performed by the application when an attempt is made to access a device to which access is denied in accordance with the access rule:

  • Apply rules (default value). If you select this option, the application uses the access rules and performs the action specified in the rules.
  • Test rules. If you select this option, the application tests the access rules and generates an event about the detection of an attempt to access a device.

Device Control settings

This group of settings contains buttons that open windows where you can configure access rules for various types of devices as well as connection bus access rules.

Page top

[Topic 197225]

Trusted devices window

The table contains a list of trusted devices. The table is empty by default.

Trusted device settings

Setting

Description

Device ID

Trusted device ID.

Device name

Name of a trusted device.

Device type

Trusted device type (for example, Hard drive or Smart card reader).

Host name

Name of the client device the trusted device is connected to.

Comment

Comment related to a trusted device.

You can add a device to the list of trusted devices by ID or by mask or by selecting the required device in the list of devices detected on the user device.

You can edit and delete trusted devices in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Page top
[Topic 246336]

Trusted device window

In this window, you can add a device to the list of trusted devices by its identifier.

Adding device by ID

Setting

Description

Device ID

The field for entering the identifier or the identifier mask of the device that you want to add to the list of trusted devices.

To specify an identifier, you can use the following wildcards: * (any sequence of characters) or ? (any single character). For example, you can specify the USBSTOR* mask to allow access to all USB drives.

Find on hosts

Clicking the button displays the devices found on the connected client devices using the specified ID or mask. The button is available if the Device ID field is not empty.

Devices found

The table contains the following columns:

  • Device type – type of device found (for example, Hard drive or Smart card reader).
  • Device ID – ID of the device found.
  • Device name – name of the device found.
  • Name of the client device — name of the client device that the found device is connected to.

Comment

The field for entering a comment for the device that you want to add to the list of trusted devices (optional).

Page top

[Topic 246337]

Device window on client devices

In this window you can add a device to the list of trusted devices by selecting it in the list of existing devices detected on client devices.

Information about existing devices is available only if an active policy exists and synchronization with the Network Agent has been completed (the synchronization interval is specified in the Network Agent policy properties; the default setting is 15 minutes). If you create a new policy and there are no other active ones, the list will be empty.

Adding device from list

Setting

Description

Host name

Field for entering the name or the name mask for the managed device for which you want to find connected devices. The default mask is * – all managed devices.

Device type

In this drop-down list, you can select the type of connected device to search for (for example, Hard drives or Smart card readers). The All devices option is selected by default.

Device ID

Field for entering the identifier or identifier mask for the device you want to find. The default mask is * – all devices.

Find on hosts

When you click this button, the application searches the device with the specified settings. The search results are displayed in the table below.

Page top

[Topic 246338]

Device type window

In this window, you can configure access rule for various types of devices.

Access rules for device types

Setting

Description

Device type

Device type (for example, Hard drives, Printers).

Access

Device access type. Right-clicking opens a context menu where you can select one of the following options:

  • Allow: allow access to devices of the selected type.
  • Block: prohibit access to devices of the selected type.
  • Depends on bus (default value): allow or block access to the devices depending on the access rule for a connection bus.

In the Configuring device access rule window, which opens by double-clicking the device type, you can configure access rules and access schedules for devices to which access with restrictions is allowed.

Page top
[Topic 210746]

Configuring device access rule window

In this window, you can configure access rules and schedules for the selected device type.

This window is opened by double-clicking the device type in the Device type window.

Device access rules and schedules

Setting

Description

Users and/or user groups

The list contains users and groups for which you can configure access schedule.

By default, the table contains the \Everyone item (all users).

You can add, edit, and delete users or user groups.

Rules for the selected user group by access schedules

This table contains access schedules for users and user groups. It consists of the following columns:

  • Access schedule – names of existing access schedules. The check box next to the schedule indicates whether this schedule is used by the component.
  • Access – access type for the schedule: Allow (grant access to devices of the selected type) or Block (deny access to devices of the selected type).

You can configure schedules only for hard drives, removable drives, floppy disks, and CD/DVD drives. By default, the table contains the Default access schedule, which provides all users with full access to devices (the \Everyone item is selected in the Users and/or user groups list) at any time if access via the connection bus is allowed for this type of device.

You can add, edit, and delete access schedules for the selected users. The Default schedule cannot be modified or removed.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

Page top

[Topic 210761]

Principal name window

In this window, you can configure the settings of the device access rule being created.

Configuring a device access rule

Setting

Description

Principal type

Principal type to which the rule applies: User or Group.

User or group name

Name of the user or user group to which the rule applies.

Page top

[Topic 247137]

Schedule for access to devices window

In this window, you can configure the device access schedule. You can configure schedules only for hard drives, removable drives, floppy disks, and CD/DVD drives.

In the General settings->Application settings section, if the Block access to files during scans check box is cleared, then it is not possible to block access to devices using a device access schedule.

Schedule for access to devices

Setting

Description

Name

Entry field for the access schedule name.

Time intervals

The table where you can select time intervals for the schedule (days and hours).

Intervals highlighted in green are included to the schedule.

To exclude an interval from the schedule, click the corresponding cells. Intervals excluded from the schedule are highlighted in gray.

By default, all intervals (24/7) are included to the schedule.

Page top

[Topic 202424]

Connection buses window

In this window, you can configure access rules for connection buses.

Connection rules for buses

Setting

Description

Connection bus

Connection bus used to connect the device to the client device:

  • FireWire
  • USB

Access

Connection bus access rule. Right-clicking opens a context menu where you can select one of the following options:

  • Allow (default value): provide access to the devices connected using this connection bus.
  • Block: deny access to the devices connected using this connection bus.

Page top

[Topic 246341]