Changing the trust level of a USB device

There are three trust levels for USB devices in SES Evolution:

  • Level 0: The device was plugged into an SES Evolution agent but is not recognized because it does not have an SES Evolution identifier.
  • Level 1: SES Evolution assigned an identifier to the device. SES Evolution therefore recognizes this device. However, its contents were not analyzed.
  • Level 2: An antivirus analyzed the contents of the device on a decontamination station. They were always modified within your SES Evolution pool. The device therefore does not contain any malicious files and is considered trustworthy.

The trust level of a device is recognized throughout your SES Evolution pool, and does not depend on agent groups.

Once the trust levels are assigned, use them to filter the USB devices allowed in your pool. For example, you can protect your pool by creating a rule that allows only level 2 USB devices. For further information, refer to the section Controlling storage on USB devices.

For security reasons, the trust level of a USB device cannot be changed in the following cases:

  • If the user session on the agent is locked or signed out,

  • If the agent is remotely controlled through a remote desktop connection,

  • If the device was already connected when the agent started running.

To change its trust level, the device must be inserted after the user session is opened on the physical workstation.

  1. Select the Devices menu. You will see the list of all USB devices that have ever been plugged in when SES Evolution agents are used.
  2. Select one or several devices and click on Change selection.
  1. In the Trust level area, select Raise the trust level of level 0 devices as the action.
  2. Click on OK.

    3. The new trust level appears in the corresponding column in the Devices panel. The icon means that the level 0 device will switch to level 1 the next time it is connected to an SES Evolution agent.
  3. To apply this change to agents, select the Environment menu and click on Deploy.
  4. Connect the modified device to an SES Evolution agent (or disconnect and reconnect it if it had stayed connected). It will appear in the panel of devices with its new trust level 1 .

Level 1 can also be automatically granted to any device that is connected to an SES Evolution agent if the option Allow device identification was enabled in the configuration of the agent group. For further information, refer to the section Configuring the trust level of devices.

Trust level 2 can only be granted after the USB device has been connected to a decontamination station. A decontamination station is a dedicated SES Evolution agent on which USB devices in the pool are analyzed and granted the highest trust level if they are considered trustworthy. In general, it is equipped with one or several antiviruses that are more powerful than the other agents in the pool, and a specific SES Evolution security policy.

  1. Configure your SES Evolution agent as a decontamination station:
    • Add it to an agent group in which it will be the only agent.
    • Configure the agent group by enabling the options Trust empty devices and Automatically scan devices.
    • Deploy the policy on the agent from the Environment menu.
  2. Plug the USB device into the decontamination station.
    If it is considered trustworthy, it will appear directly in the Devices panel with the highest trust level. It will lose this trust level as soon as its contents are modified outside the SES Evolution pool. Plug it into the decontamination workstation again to restore the highest trust level.

Untrusting a USB device means that its trust level will be brought down to 0.

  1. Select the Devices menu. You will see the list of all USB devices that have ever been plugged in when SES Evolution agents are used.
  2. Select one or several devices and click on Change selection.
  1. In the Trust level area, select Untrust level 1 or 2 devices as the action.
  2. Click on OK.

    3. The new trust level appears in the corresponding column in the Devices panel. The icon means that the level 1 device will switch to level 0 the next time it is connected to an SES Evolution agent.
  3. To apply this change to agents, select the Environment menu and click on Deploy.
  4. Connect the modified device to an SES Evolution agent (or disconnect and reconnect it if it had stayed connected). It will appear in the panel of devices with its new trust level 0 .