Contents
Device Control
When the Device Control task is running, Kaspersky Embedded Systems Security manages user access to the devices that are installed on or connected to the client device (for example, hard drives, cameras, or Wi-Fi modules). This lets you protect the client device from infection when external devices are connected, and prevent data loss or leaks. Device Control manages user access to devices using the access rules.
When a device, access to which is denied by the Device Control task, connects to a client device, the application denies the users specified in the rule access to this device and displays a notification. During attempts to read and write on this device, the application silently blocks the users specified in the rule from reading/writing.
Device Control settings
Setting |
Description |
|---|---|
Device Control enabled / disabled |
This toggle button enables or disables Device Control. The check toggle button is switched on by default. |
Configure trusted devices |
Clicking this link opens the Trusted devices window. In this window, you can add devices to a list of trusted devices by ID or by selecting them from the list of devices detected on the client devices. |
Device Control action |
Action performed by the application when an attempt is made to access a device to which access is denied in accordance with Device Control rules.
|
Configure settings for device types |
Clicking this link opens the Device types window. In this window, you can configure access rules for various types of devices. |
Configure settings for connection buses |
Clicking this link opens the Connection buses window. In this window, you can configure access rules for connection buses. |
Trusted devices window
The table contains a list of trusted devices. The table is empty by default.
Trusted device settings
Setting |
Description |
|---|---|
Device ID |
Trusted device ID. |
Device name |
Name of a trusted device. |
Device type |
Trusted device type (for example, Hard drive or Smart card reader). |
Host name |
Name of the client device the trusted device is connected to. |
Comment |
Comment related to a trusted device. |
You can add a device to the list of trusted devices by the device ID or by selecting the required device in the list of devices detected on the user device.
You can edit and delete trusted devices in the table.
Page topTrusted device (Device ID) window
In this window, you can add a device to the list of trusted devices by its identifier.
Adding device by ID
Setting |
Description |
|---|---|
Device ID |
Entry field for a device ID or device ID mask. You can manually specify the device ID or copy the ID of the required device from the Devices detected on hosts list. To specify an identifier, you can use the following wildcards: * (any sequence of characters) or ? (any single character). For example, you can specify the USBSTOR* mask to allow access to all USB drives. |
Comment |
Entry field for a comment (optional). This field is available after you enter the device ID, and click the Next button. |
Trusted device window (List of detected devices)
In this window you can add a device to the list of trusted devices by selecting it in the list of existing managed devices.
Information about existing devices is available only if an active policy exists and synchronization with the Network Agent has been completed (the synchronization interval is specified in the Network Agent policy properties; the default setting is 15 minutes). If you create a new policy and there are no other active ones, the list will be empty.
Adding device from list
Setting |
Description |
|---|---|
Device type |
In this drop-down list, you can select type of devices to be displayed in the Devices detected on hosts table. |
Device ID mask |
Entry field for a device ID mask. |
Comment |
Entry field for a comment (optional). This field is available after you select the devices, and click the Next button. |
Clicking the Filter button opens the window, where you can set up the filtering of displayed information about devices.
Page topDevice types window
In this window, you can configure access rules for various types of devices.
Access rules for device types
Setting |
Description |
|---|---|
Access to data storage devices |
The table contains the following columns:
|
Access to other devices |
The table contains the following columns:
|
Device access rules window
In this window, you can configure access rules and schedules for the selected device type.
Device access rules and schedules
Setting |
Description |
|---|---|
Access to device |
Access rule for devices of the selected type:
|
List of device access rules |
The table contains a list of access rules and consists of the following columns:
By default, the table contains the Default schedule access schedule, which provides all users with full access to devices (the \Everyone option is selected in the list of users and groups) at any time, if access by the connection bus is allowed for this type of device. |
Device access rules window
In this window, you can configure the device access rule.
Device access rule
Setting |
Description |
|---|---|
Device access rule settings |
Access to devices of the selected type:
|
Users and/or user groups |
Name of the user or user group to which the rule applies. The default value is \All (all users). |
Schedule for access to devices |
Schedule for the specified users' access to devices. The default value is Default schedule. The Default schedule link opens the Schedules window, in which you can configure a different access schedule. |
Select user or group window
In this window, you can specify a local or domain user or user group for which you want to configure an access rule.
Configuring an access rule
Setting |
Description |
|---|---|
Manually |
If this option is selected, in the field below enter the name of the local or domain users or the name of a user group, to which the device access rule will apply. |
List of groups or users |
If this option is selected, in the search field you can enter search criteria for the name of the user or name of the user group, to which the device access control rule will apply, or you can select the name of the user group in the list below. |
Schedules window
In this window, you can specify the schedule for the selected device access rule.
You can add, edit, and delete access schedule.
You cannot delete the Default schedule.
Schedule for access to devices window
In this window, you can configure the device access schedule. You can configure schedules only for hard drives, removable drives, floppy disks, and CD/DVD drives.
In the General settings->Application settings section, if the Block access to files during scans check box is cleared, then it is not possible to block access to devices using a device access schedule.
Schedule for access to devices
Setting |
Description |
|---|---|
Name |
Entry field for the access schedule name. |
Time intervals |
The table where you can select time intervals for the schedule (days and hours). Intervals highlighted in green are included to the schedule. To exclude an interval from the schedule, click the corresponding cells. Intervals excluded from the schedule are highlighted in gray. By default, all intervals (24/7) are included to the schedule. |
Connection buses window
In this window, you can configure access rules for connection buses.
Connection rules for buses
Setting |
Description |
|---|---|
Connection bus |
Connection bus used to connect devices to the client device:
|
Access |
This toggle button enables or disables access to devices that use this connection bus:
|