dctrl

Device Control

Device Control regulates access to external storage devices and network resources connected to computers. Device Control helps prevent data loss and leakage and, combined with file scanning, helps guard against security risks.

You can configure Device Control policies for internal and external clients. OfficeScan administrators typically configure a stricter policy for external clients.

Policies are granular settings in the OfficeScan client tree. You can enforce specific policies to client groups or individual clients. You can also enforce a single policy to all clients.

After you deploy the policies, clients use the location criteria you have set in the Computer Location screen (see Computer Location) to determine their location and the policy to apply. Clients switch policies each time the location changes.

Important:

http://docs.trendmicro.com/en-us/enterprise/officescan.aspx

Permissions for Storage Devices

Device Control permissions for storage devices are used when you:

The following table lists the permissions:

Device Control Permissions for Storage Devices

Permissions

Files on the Device

Incoming Files

Full access

Permitted operations:
Copy, Move, Open, Save, Delete, Execute

Permitted operations:
Save, Move, Copy

This means that a file can be saved, moved, and copied to the device.

Modify

Permitted operations:
Copy, Move, Open, Save, Delete

Prohibited operations: Execute

Permitted operations:
Save, Move, Copy

Read and execute

Permitted operations:
Copy, Open, Execute

Prohibited operations:
Save, Move, Delete

Prohibited operations:
Save, Move, Copy

Read

Permitted operations:
Copy, Open

Prohibited operations:
Save, Move, Delete, Execute

Prohibited operations:
Save, Move, Copy

List device content only

Prohibited operations:
All operations

The device and the files it contains are visible to the user (for example, from Windows Explorer).

Prohibited operations:
Save, Move, Copy

Block

Prohibited operations:
All operations

The device and the files it contains are not visible to the user (for example, from Windows Explorer).

Prohibited operations:
Save, Move, Copy

The file-based scanning function in OfficeScan complements and may override the device permissions. For example, if the permission allows a file to be opened but OfficeScan detects that the file is infected with malware, a specific scan action will be performed on the file to eliminate the malware. If the scan action is Clean, the file opens after it is cleaned. However, if the scan action is Delete, the file is deleted.

Advanced Permissions for Storage Devices

Advanced permissions apply when you grant limited permissions to storage devices. The permission can be any of the following:

You can keep the permissions limited but grant advanced permissions to certain programs on the storage devices and on the local computer.

To define programs, configure the following program lists:

Program Lists

Program List

Description

Valid Inputs

Programs with read and write access to storage devices

This list contains local programs and programs on storage devices that have read and write access to the devices.

An example of a local program is Microsoft Word (winword.exe), which is usually found in C:\Program Files\Microsoft Office\Office. If the permission for USB storage devices is "List device content only" but "C:\Program Files\Microsoft Office\Office\winword.exe" is included in this list:

  • A user will have read and write access to any file on the USB storage device that is accessed from Microsoft Word.

  • A user can save, move, or copy a Microsoft Word file to the USB storage device.

Program path and name

For details, see Specifying a Program Path and Name.

Programs on storage devices that are allowed to execute

This list contains programs on storage devices that users or the system can execute.

For example, if you want to allow users to install software from a CD, add the installation program path and name, such as "E:\Installer\Setup.exe", to this list.

Program path and name or Digital Signature Provider

For details, see Specifying a Program Path and Name or Specifying a Digital Signature Provider.

There are instances when you need to add a program to both lists. Consider the data lock feature in a USB storage device, which, if enabled, prompts users for a valid user name and password before the device can be unlocked. The data lock feature uses a program on the device called "Password.exe", which must be allowed to execute so that users can unlock the device successfully. "Password.exe" must also have read and write access to the device so that users can change the user name or password.

Each program list on the user interface can contain up to 100 programs. If you want to add more programs to a program list, you will need to add them to the ofcscan.ini file, which can accommodate up to 1,000 programs. For instructions on adding programs to the ofcscan.ini file, see To add programs to the Device Control program lists using the ofcscan.ini file:.

Specifying a Digital Signature Provider

Specify a Digital Signature Provider if you trust programs issued by the provider. For example, type Microsoft Corporation or Trend Micro, Inc. You can obtain the Digital Signature Provider by checking the properties of a program (for example, by right-clicking the program and selecting Properties).

 

Digital Signature Provider for the OfficeScan client program (PccNTMon.exe)

Specifying a Program Path and Name

A program path and name should have a maximum of 259 characters and must only contain alphanumeric characters (A-Z, a-z, 0-9). It is not possible to specify only the program name.

You can use wildcards in place of drive letters and program names. Use a question mark (?) to represent single-character data, such as a drive letter. Use an asterisk (*) to represent multi-character data, such as a program name.

Wildcards are used correctly in the following examples:

Correct Usage of Wildcards

Example

Matched Data

?:\Password.exe

The "Password.exe" file located directly under any drive

C:\Program Files\Microsoft\*.exe

Any .exe file in C:\Program Files\Microsoft

C:\Program Files\*.*

Any file in C:\Program Files that has a file extension

C:\Program Files\a?c.exe

Any .exe file in C:\Program Files that has 3 characters starting with the letter "a" and ending with the letter "c"

C:\*

Any file located directly under the C:\ drive, with or without file extensions

Wildcards are used incorrectly in the following examples:

Incorrect Usage of Wildcards

Example

Reason

??:\Buffalo\Password.exe

?? represents two characters and drive letters only have a single alphabetic character.

*:\Buffalo\Password.exe

* represents multi-character data and drive letters only have a single alphabetic character.

C:\*\Password.exe

Wildcards cannot be used to represent folder names. The exact name of a folder must be specified.

C:\?\Password.exe

Permissions for Non-storage Devices

You can allow or block access to non-storage devices. There are no granular or advanced permissions for these devices.

  1. In the client tree, click the root domain icon to include all clients or select specific domains or clients.

  2. Click Settings > Device Control Settings.

  3. Click the External Clients tab to configure settings for external clients or the Internal Clients tab to configure settings for internal clients.

  4. Select Enable Device Control.

  5. If you are on the External Clients tab, you can apply settings to internal clients by selecting Apply all settings to internal clients.

  6. If you are on the Internal Clients tab, you can apply settings to external clients by selecting Apply all settings to external clients.

  7. Choose to allow or block the AutoRun function (autorun.inf) on USB storage devices.

  8. Configure settings for storage devices.

    1. Select a permission for each storage device. For details about permissions, see Permissions for Storage Devices.

    2. Configure advanced permissions and notifications if the permission for a storage device is any of the following:

    3. Although you can configure advanced permissions and notifications for a specific storage device on the user interface, the permissions and notifications are actually applied to all storage devices. This means that when you click Advanced permissions and notifications for CD/DVD, you are actually defining permissions and notifications for all storage devices.

      1. Click Advanced permissions and notifications. A new screen opens.

      2. Below Programs with read and write access to storage devices, type a program path and file name and then click Add. Digital Signature Provider is not accepted.

      3. Below Programs on storage devices that are allowed to execute, type the program path and name or the Digital Signature Provider and then click Add.

      4. Select Display a notification message on the client computer when OfficeScan detects unauthorized device access.

        • Unauthorized device access refers to prohibited device operations. For example, if the device permission is "Read", users will not be able to save, move, delete, or execute a file on the device. For a list of prohibited device operations based on permissions, see Permissions for Storage Devices.

        • You can modify the notification message. For details, see Device Control Notifications.

      5. Click Back.

    4. If the permission for USB storage devices is Block, configure a list of approved devices. Users can access these devices and you can control the level of access using permissions.

      1. Click Approved devices.

      2. Type the device vendor.

      3. Type the device model and serial ID.

        • Use the Device List Tool to query devices connected to endpoints. The tool provides the device vendor, model, and serial ID for each device. For details, see Device List Tool.

      4. Select the permission for the device. For details about permissions, see Permissions for Storage Devices.

      5. To add more devices, click the icon.

      6. Click Back.

  9. For each non-storage device, select Allow or Block.

  10. If you selected domain(s) or client(s) in the client tree, click Save. If you clicked the root domain icon, choose from the following options:

  1. In the client tree, click the root domain icon to include all clients or select specific domains or clients.

  2. Click Settings > Device Control. Settings.

  3. Click the External Clients tab to configure settings for external clients or the Internal Clients tab to configure settings for internal clients.

  4. Select Enable Device Control.

  5. If you are on the External Clients tab, you can apply settings to internal clients by selecting Apply all settings to internal clients.

  6. If you are on the Internal Clients tab, you can apply settings to external clients by selecting Apply all settings to external clients.

  7. Choose to allow or block the AutoRun function (autorun.inf) on USB storage devices.

  8. Select the permission for each device. For details about permissions, see Permissions for Storage Devices.

  9. Configure advanced permissions and notifications if the permission for a device is any of the following:

  10. There is no need to configure advanced permissions and notifications if the permission for all devices is Full Access.

    1. Below Programs with read and write access to storage devices, type a program path and file name and then click Add. Digital Signature Provider is not accepted.

    2. Below Programs on storage devices that are allowed to execute, type the program path and name or the Digital Signature Provider and then click Add.

    3. Select Display a notification message on the client computer when OfficeScan detects unauthorized device access.

  11. If you selected domain(s) or client(s) in the client tree, click Save. If you clicked the root domain icon, choose from the following options:

  1. On the OfficeScan server computer, navigate to < Server installation folder >\PCCSRV.

  2. Open ofcscan.ini using a text editor.

  3. To add programs with read and write access to storage devices:

    1. Locate the following lines:

    2. [DAC_APPROVED_LIST]

      Count=x

    3. Replace "x" with the number of programs in the program list.

    4. Below "Count=x", add programs by typing the following:

    Item<number>=<program path and name or Digital Signature Provider> 

    For example:

    [DAC_APPROVED_LIST]

    Count=3

    Item0=C:\Program Files\program.exe

    Item1=?:\password.exe

    Item2=Microsoft Corporation

  4. To add programs on storage devices that are allowed to execute:

    1. Locate the following lines:

    2. [DAC_EXECUTABLE_LIST]

      Count=x

    3. Replace "x" with the number of programs in the program list.

    4. Below "Count=x", add programs by typing the following:

    Item<number>=<program path and name or Digital Signature Provider>

    For example:

    [DAC_EXECUTABLE_LIST]

    Count=3

    Item0=?:\Installer\Setup.exe

    Item1=E:\*.exe

    Item2=Trend Micro, Inc.

  5. Save and close the ofcscan.ini file.

  6. Open the OfficeScan web console and go to Networked Computers > Global Client Settings.

  7. Click Save to deploy the program lists to all clients.

See also: