Changing the trust level of a USB device

There are three trust levels for USB devices in SES Evolution:

  • Level 0 - : For the SES Evolution agent, the device is neither enrolled, nor trusted. The device is plugged into the SES Evolution agent but the backoffice has not yet assigned an unique ID to it.
  • Level 1 - : For the SES Evolution agent, the device is enrolled, but not trusted. The device is known and the backoffice has assigned a unique ID to it. Either its content has not yet been verified or it has changed since the last verification (when changes are made to a host outside the SES Evolution pool, for example). The device must be analyzed by an air-gapped workstation to switch to level 2.
  • Level 2 - : For the SES Evolution agent, the device is enrolled and trusted. The device is known to the backoffice with a unique ID and its content is considered trusted. This level indicates that the device has been analyzed by an antivirus on an air-gapped SES Evolution workstation and that it does not contain any malicious files. This trust level will be maintained as long as the device's content is changed within the SES Evolution pool.

The trust level of a device is recognized throughout your SES Evolution pool, and does not depend on agent groups.

Once the trust levels are assigned, use them to filter the USB devices allowed in your pool. For example, you can protect your pool by creating a rule that allows only level 2 USB devices. For further information, refer to the section Monitoring storage on USB devices.

For security reasons, the trust level of a USB device cannot be changed in the following cases:

  • If the user session on the agent is locked or signed out,

  • If the agent is remotely controlled through a remote desktop connection,

  • If the device was already connected when the agent started running.

To change its trust level, the device must be inserted after the user session is opened on the physical workstation.

  1. Select the Security > Devices menu. You will see the list of all USB devices that have ever been plugged in when SES Evolution agents are used.
  2. Select one or several devices and click on Change selection.
  1. In the Trust level area, select Raise the trust level of level 0 devices as the action.
  2. Click on OK.

    3. The change in trust level is shown in the corresponding column in the Devices panel. The icon means that the level 0 device will switch to level 1 the next time it is connected to an SES Evolution agent.
  3. To apply this change to agents, select the Security > Deployment menu and click on Deploy.
  4. Connect the modified device to an SES Evolution agent (or disconnect and reconnect it if it had stayed connected). It will appear in the panel of devices with its new trust level 1 .

Level 1 can also be automatically granted to any device that is connected to an SES Evolution agent if the option Allow device identification was enabled in the configuration of the agent group. For further information, refer to the section Detecting and configuring the trust level on devices

Trust level 2 can only be granted after the USB device has been connected to a decontamination station. A decontamination station is a dedicated SES Evolution agent on which USB devices in the pool are analyzed and granted the highest trust level if they are considered trustworthy. In general, it is equipped with one or several antiviruses that are more powerful than the other agents in the pool, and a specific SES Evolution security policy.

  1. Configure your SES Evolution agent as a decontamination station:
    • Add it to an agent group in which it will be the only agent.
    • Configure the agent group by enabling the options Trust empty devices and Automatically scan devices.
    • Deploy the policy on the agent from the Security > Deployment menu.
  2. Plug the USB device into the decontamination station.
    If it is considered trustworthy, it will appear directly in the Devices panel with the highest trust level. It will lose this trust level as soon as its contents are modified outside the SES Evolution pool. Plug it into the decontamination workstation again to restore the highest trust level.

Untrusting a USB device means that its trust level will be brought down to 0.

  1. Select the Security > Devices menu. You will see the list of all USB devices that have ever been plugged in when SES Evolution agents are used.
  2. Select one or several devices and click on Change selection.
  1. In the Trust level area, select Untrust level 1 or 2 devices as the action.
  2. Click on OK.

    3. The change in trust level is shown in the corresponding column in the Devices panel. The icon means that the level 1 device will switch to level 0 the next time it is connected to an SES Evolution agent.
  3. To apply this change to agents, select the Security > Deployment menu and click on Deploy.
  4. Connect the modified device to an SES Evolution agent (or disconnect and reconnect it if it had stayed connected). It will appear in the panel of devices with its new trust level 0 .