Device_Control

Device Control

OfficeScan provides a device control feature that regulates access to external storage devices and network resources connected to computers. Device control helps prevent data loss and leakage and, combined with file scanning, helps guard against security risks.

Notification messages are displayed on the endpoints when device control violations occur. Administrators can also modify the default notification message, if needed.

Device Control is available only on computers running x86 type platforms.

• To ensure that this feature does not interfere with critical applications, OfficeScan leaves this feature disabled on server platforms. To enable this feature on a server computer, enable Unauthorized Change Prevention Service. Refer to Additional Service Settings.

To manage access to external devices: >>>

• Networked Computers > Client Management > Settings > Device Control

1. Select the check box to enable device control.

2. Choose whether to block or allow the AutoRun function (autorun.inf) on USB devices connected to the computer.

3. Select the permissions for each device type.

   Device permissions

   Permissions	Files on the Device	Incoming Files
   Full control	Operations allowed: Copy, Move, Open, Save, Delete, Execute	Operations allowed: Save, Move, Copy This means that a file can be saved, moved, and copied to the device.
   Modify	Operations allowed: Copy, Move, Open, Save, Delete Operation blocked: Execute	Operations allowed: Save, Move, Copy
   Read and execute	Operations allowed: Copy, Open, Execute Operations blocked: Save, Move, Delete	Operations blocked: Save, Move, Copy
   Read	Operations allowed: Copy, Open Operations blocked: Save, Move, Delete, Execute	Operations blocked: Save, Move, Copy
   No access	Any attempt to access the device or network resource is automatically blocked.	Operations blocked: Save, Move, Copy

• The scanning function in OfficeScan complements and may override the device permissions. For example, if the permission allows a file to be opened but OfficeScan detects that the file is infected with malware, a specific scan action will be performed on the file to eliminate the malware. If the scan action is Clean, the file opens after it is cleaned. However, if the scan action is Delete, the file is deleted.

4. Select whether to display a notification message on the client computer when OfficeScan detects unauthorized device access, which includes all operations that OfficeScan blocks.

5. Specify applications that will be exempt from Device Control policies or applications that can be run despite Device Control policies. Refer to Device Control Exception Lists.

6. If you selected domain(s) or client(s) on the client tree, click Save to apply settings to the domain(s) or client(s). If you selected the root icon, choose from the following options:

• Apply to All Clients: Applies settings to all existing clients and to any new client added to an existing/future domain. Future domains are domains not yet created at the time you configure the settings.

• Apply to Future Domains Only: Applies settings only to clients added to future domains. This option will not apply settings to new clients added to an existing domain.

To modify the content of the notification message: >>>

• Notifications > Client User Notifications

1. Click the Device Control Violation tab.

2. Modify the default messages in the text box provided.

3. Click Save.

See also:

• Device Control Logs