Table of contents

Configure Device Control

About Device Control

The Device Control module regulates access to external storage devices connected to computers. Device Control helps prevent data loss and leakage and, combined with file scanning, helps guard against security risks.

  • Device Control's enforcement setting (in a policy or computer's Device Control tab) can be set to three options for each supported device type which from unlimited to restricted is "Full-Access", "Read-Only", and "Block".
  • Actions against a specific device type will be taken when that type of device is connected to the protected endpoint. If a user's action triggers the violation, Device Control events will be sent to Workload Security Console (in Events & Reports > Events > Device Control Events).
  • Exceptions can be added to a policy or a computer (in the computer's Device Control tab > Exceptions) to allow for full access for the device even when the action is set to "Read-Only" or "Block".

To enable and configure Device Control, see Set up Device Control.

Device Control Protocols

Actions against device type

When Device Control is enabled, each device type is assigned to a protocol, which describes what kind of action that user can perform.

The following table shows the permissions associated with actions actions under various protocols.

Protocol Read Copy Exclude Write Delete
Full-Access
Read-Only
Block

USB Autorun

Device Control allows the user to prevent the execution of USB autorun when a USB device is connected to a computer.

Set up Device Control

  1. In the top menu, click the Policies tab.
  2. Double-click the policy for which you want to enable Device Control.
  3. Click Device Control > General.
  4. For Device Control State, select On.
  5. Click Save.

Configure protocols

The Trend Micro Cloud One - Workload Security supported device type and settings are shown below:

Available setting Description

USB Mass Storage

This feature is supported by Deep Security Agent for Windows (version 20.0.0-4959+) and macOS (version 20.0.158+).

  • Full Access
  • Read Only
  • Block
Configure access policy of USB devices

USB AutoRun Function

This is not currently supported by the agent for macOS.

  • Allow
  • Block
Allow or block USB device auto run

Mobile (MTP/PTP)

This is not currently supported by the agent for macOS and Windows Server Core.

  • Allow
  • Block
Configure access policy of USB mobile device

Configure USB Device Exceptions

Create new device

To allow access to specific USB devices when USB Mass Storage is set to "Block" or "Read Only", set exception rules.

For each exception rule, type a name, then specify "Vendor", "Model" and "Serial Number".

An access violation will be bypassed if the access matches the "Vendor," "Model," and "Serial Number" in exception rules.

For information on USB devices, visit this page: https://success.trendmicro.com/dcx/s/solution/000286159?language=en_US

Select existing devices

Existing devices can appear in multiple policies. To include existing devices in a policy, click Select existing devices in lists and select the relevant devices.

Device Control event tagging

The events generated by the Device Control module are displayed in the Workload Security console, under Events & Reports > Device Control Events. Event tagging can help you to sort events and determine which events need to be investigated further and which events are legitimate.

You can manually apply tags to events by right-clicking the event and then clicking Add Tag(s). You can choose to apply the tag to only the selected event or to any similar Device Control events.

You can also use the auto-tagging feature to group and label multiple events. To configure this feature in the Workload Security console, go to Events and Reports > Device Control Events > Auto-Tagging > New Trusted Source. There are three sources that you can use to perform the tagging:

  • A Local Trusted Computer.
  • The Trend Micro Certified Safe Software Service.
  • A Trusted Common Baseline, which is a set of file states collected from a group of computers.

For more information on event tagging, see Apply tags to identify and group events.