Device_Control

Device Control

OfficeScan provides a device control feature that regulates access to external storage devices and network resources connected to computers. Device control helps prevent data loss and leakage and, combined with file scanning, helps guard against security risks.

Notification messages are displayed on the endpoints when device control violations occur. Administrators can also modify the default notification message, if needed.

Device Control is available only on computers running x86 type platforms.

• To help ensure that this feature does not interfere with critical applications, OfficeScan leaves this feature disabled on server platforms, even when it is enabled through the console. To enable this feature on a server computer, manually modify registry settings on that computer. For instructions, refer to Post-installation Considerations.

To manage access to external devices:

• Networked Computers > Client Management > Settings > Device Control

1. Select the check box to enable device control.

2. Choose whether to block or allow the AutoRun function (autorun.inf) on USB devices connected to the computer.

3. Select the permissions for each device type.

   Device permissions

   Permissions	Files on the Device	Incoming Files
   Full access	Operations allowed: Copy, Move, Open, Save, Delete, Execute	Operations allowed: Save, Move, Copy This means that a file can be saved, moved, and copied to the device.
   Read and write only	Operations allowed: Copy, Move, Open, Save, Delete Operation blocked: Execute	Operations allowed: Save, Move, Copy
   Read and execute only	Operations allowed: Copy, Open, Execute Operations blocked: Save, Move, Delete	Operations blocked: Save, Move, Copy
   Read only	Operations allowed: Copy, Open Operations blocked: Save, Move, Delete, Execute	Operations blocked: Save, Move, Copy
   No access	Any attempt to access the device or network resource is automatically blocked.	Operations blocked: Save, Move, Copy

• The scanning function in OfficeScan complements and may override the device permissions. For example, if the permission allows a file to be opened but OfficeScan detects that the file is infected with malware, a specific scan action will be performed on the file to eliminate the malware. If the scan action is Clean, the file opens after it is cleaned. However, if the scan action is Delete, the file is deleted.

4. Select whether to display a notification message on the client computer when OfficeScan detects unauthorized device access, which includes all operations that OfficeScan blocks.

5. If you selected domain(s) or client(s) on the client tree, click Save to apply settings to the domain(s) or client(s). If you selected the root icon, choose from the following options:

• Apply to All Clients: Applies settings to all existing clients and to any new client added to an existing/future domain. Future domains are domains not yet created at the time you configure the settings.

• Apply to Future Domains Only: Applies settings only to clients added to future domains. This option will not apply settings to new clients added to an existing domain.

To modify the content of the notification message:

• Notifications > Client User Notifications

1. Click the Device Access Control Violation tab.

2. Modify the default messages in the text box provided.

3. Click Save.

See also:

• Device Control Logs