Controlling storage on USB devices

This protection makes it possible to control access to files stored on USB storage devices (external hard disks, USB keys, etc.).

Rules may cover devices filtered by vendor ID or product ID, or devices known to SES Evolution with a trust level.

If overall access to USB devices is blocked, files on USB mass storage devices cannot be accessed even when a rule specifically applying to these devices allows it. To monitor overall access, refer to the section Controlling access to USB devices.

For more information on trust levels, refer to the section Managing USB storage devices.

The left side of a rule covers files that may be found on USB devices, while the right side covers the devices themselves.

To create rules that regulate access to files on USB storage devices:

  1. Select the Policies menu and click on your policy.
  2. Select a rule set.
  3. Click on the Devices > USB storage tab.
  4. If you are in read-only mode, click on Edit in the upper banner.
  5. Click on Add a rule (USB storage device). A new row appears.
  6. In the left side of the rule, click on to add file identifiers. Files can be identified by a path or an alternate data stream. Generic characters are allowed in this field.
  7. Click on Apply to add the ID.
  8. For each type of operation, select the default behavior that applies to the devices when files match the rule: allow or block (protection rule).
  9. To exclude specific devices from the default behavior, click on + Add a specific behavior:
    1. Add one or several device IDs. Devices can either be identified by their vendor or product IDs, or the trust level that SES Evolution assigned to the device.
      • To find out the vendor or product IDs, or the serial numbers of devices, look up the Windows device manager when the device in question is plugged in or use the dedicated utilities.
      • For more information on trust levels, refer to the section Managing USB storage devices.
    2. Select the behavior for these IDs.
  1. In the upper banner in the rule, you can:
    • Make the rule passive. Passive rules behave like standard rules but do not actually block any actions. The agent only generates logs that indicate which actions security rules would have blocked.
      Use this mode to test new restriction rules, find out their impact, and make the necessary adjustments before disabling Passive rule mode. For further information on testing rules and policies, refer to Testing security policies.
    • Indicate whether the rule must generate an incident when it is applied.
    • Select the log settings that this rule will send.
    • Specify whether an action must be performed when a log is sent for this rule. You can choose to display a notification on the agent and/or run a script.
    • Enter a description to explain what this rule aims to achieve.
  2. The row number of each rule appears on its left. Rearrange the sequence of your rules if you need to, by clicking on the arrows above and below the row number.
  3. Click on Save at the top right of the window to save changes.