Device_Control
OfficeScan provides a device control feature that regulates access to external storage devices and network resources connected to computers. Device control helps prevent data loss and leakage and, combined with file scanning, helps guard against security risks.
Notification messages are displayed on the endpoints when device control violations occur. Administrators can also modify the default notification message, if needed.
Device Control is available only on computers running x86 type platforms.
To help ensure that this feature does not interfere with critical applications, OfficeScan leaves this feature disabled on server platforms, even when it is enabled through the console. To enable this feature on a server computer, manually modify registry settings on that computer. For instructions, refer to Post-installation Considerations.
To manage access to external devices:
Networked Computers > Client Management > Settings > Device Control
Select the check box to enable device control.
Choose whether to block or allow the AutoRun function (autorun.inf) on USB devices connected to the computer.
Select the permissions for each device type.
Device permissions |
Permissions |
Files on the Device |
Incoming Files |
Full access |
Operations allowed: Copy, Move, Open, Save, Delete, Execute |
Operations allowed: Save, Move, Copy This means that a file can be saved, moved, and copied to the device. |
Read and write only |
Operations allowed: Copy, Move, Open, Save, Delete Operation blocked: Execute |
Operations allowed: Save, Move, Copy |
Read and execute only |
Operations allowed: Copy, Open, Execute Operations blocked: Save, Move, Delete |
Operations blocked: Save, Move, Copy |
Read only |
Operations allowed: Copy, Open Operations blocked: Save, Move, Delete, Execute |
Operations blocked: Save, Move, Copy |
No access |
Any attempt to access the device or network resource is automatically blocked. |
Operations blocked: Save, Move, Copy |
The scanning function in OfficeScan complements and may override the device permissions. For example, if the permission allows a file to be opened but OfficeScan detects that the file is infected with malware, a specific scan action will be performed on the file to eliminate the malware. If the scan action is Clean, the file opens after it is cleaned. However, if the scan action is Delete, the file is deleted.
Select whether to display a notification message on the client computer when OfficeScan detects unauthorized device access, which includes all operations that OfficeScan blocks.
If you selected domain(s) or client(s) on the client tree, click Save to apply settings to the domain(s) or client(s). If you selected the root icon, choose from the following options:
Apply to All Clients: Applies settings to all existing clients and to any new client added to an existing/future domain. Future domains are domains not yet created at the time you configure the settings.
Apply to Future Domains Only: Applies settings only to clients added to future domains. This option will not apply settings to new clients added to an existing domain.
To modify the content of the notification message:
Notifications > Client User Notifications
Click the Device Access Control Violation tab.
Modify the default messages in the text box provided.
Click Save.
See also: