Topics on this page
Configure Device Control
About Device Control
The Device Control module regulates access to external storage devices connected to computers. Device Control helps prevent data loss and leakage and, combined with file scanning, helps guard against security risks.
- Device Control's enforcement setting (in a policy or computer's Device Control tab) can be set to three options for each supported device type which from unlimited to restricted is "Full-Access", "Read-Only", and "Block".
- Actions against a specific device type will be taken when that type of device is connected to the protected endpoint. If a user's action triggers the violation, Device Control events will be sent to Workload Security Console (in Events & Reports > Events > Device Control Events).
- Exceptions can be added to a policy or a computer (in the computer's Device Control tab > Exceptions) to allow for full access for the device even when the action is set to "Read-Only" or "Block".
To enable and configure Device Control, see Set up Device Control.
Device Control Protocols
Actions against device type
When Device Control is enabled, each device type is assigned to a protocol, which describes what kind of action that user can perform.
The following table shows the permissions associated with actions actions under various protocols.
Protocol | Read | Copy | Exclude | Write | Delete |
---|---|---|---|---|---|
Full-Access | ✔ | ✔ | ✔ | ✔ | ✔ |
Read-Only | ✔ | ✔ | ✖ | ✖ | ✖ |
Block | ✖ | ✖ | ✖ | ✖ | ✖ |
USB Autorun
Device Control allows the user to prevent the execution of USB autorun when a USB device is connected to a computer.
Set up Device Control
- In the top menu, click the Policies tab.
- Double-click the policy for which you want to enable Device Control.
- Click Device Control > General.
- For Device Control State, select On.
- Click Save.
Configure protocols
The Trend Micro Cloud One - Workload Security supported device type and settings are shown below:
Available setting | Description | |
---|---|---|
USB Mass Storage This feature is supported by Deep Security Agent for Windows (version 20.0.0-4959+) and macOS (version 20.0.158+). |
|
Configure access policy of USB devices |
USB AutoRun Function This is not currently supported by the agent for macOS. |
|
Allow or block USB device auto run |
Mobile (MTP/PTP) This is not currently supported by the agent for macOS and Windows Server Core. |
|
Configure access policy of USB mobile device |
Configure USB Device Exceptions
Create new device
To allow access to specific USB devices when USB Mass Storage is set to "Block" or "Read Only", set exception rules.
For each exception rule, type a name, then specify "Vendor", "Model" and "Serial Number".
An access violation will be bypassed if the access matches the "Vendor," "Model," and "Serial Number" in exception rules.
For information on USB devices, visit this page: https://success.trendmicro.com/dcx/s/solution/000286159?language=en_US
Select existing devices
Existing devices can appear in multiple policies. To include existing devices in a policy, click Select existing devices in lists and select the relevant devices.
Device Control event tagging
The events generated by the Device Control module are displayed in the Workload Security console, under Events & Reports > Device Control Events. Event tagging can help you to sort events and determine which events need to be investigated further and which events are legitimate.
You can manually apply tags to events by right-clicking the event and then clicking Add Tag(s). You can choose to apply the tag to only the selected event or to any similar Device Control events.
You can also use the auto-tagging feature to group and label multiple events. To configure this feature in the Workload Security console, go to Events and Reports > Device Control Events > Auto-Tagging > New Trusted Source. There are three sources that you can use to perform the tagging:
- A Local Trusted Computer.
- The Trend Micro Certified Safe Software Service.
- A Trusted Common Baseline, which is a set of file states collected from a group of computers.
For more information on event tagging, see Apply tags to identify and group events.