Set the Device Control Access Modes
You manage Device Control access policy modes and access policies directly in a sensor policy.
When you enable the Device control option in a sensor policy, you permit the Cybereason platform to detect, restrict, and/or block removable storage devices that are connected to machines assigned that policy.
In this topic:
Enable Device control
You can enable Device control for all USB storage devices, for all mobile/media devices, or for an individual USB device.
In your sensor policy, navigate to the Endpoint Controls screen.
In the Endpoint Controls screen, in the Device Controls section, set the Device control toggle to On.
Select the Device control mode in the respective section.
For all USB storage devices, select the mode under the USB (Mass storage) section.
For all mobile or media devices, select the mode under the Mobile/Media (MTP) section.
You can also use the Manage devices area either to set a different mode for a specific USB storage or MTP device, or to configure other types of USB devices.
Mode name
Mode name - CSV file
Description
Permitted endpoint operations
Forbidden endpoint operations
Full access
USB_ACTION_ALLOW_ALL
The Cybereason platform allows users to fully access USB storage or MTP devices inserted into endpoints to which the policy applies. While the Cybereason platform monitors the USB storage or MTP devices, it does not interfere with the device’s default behavior on the machine.
Full access the USB storage or MTP device. For example, a user can copy files from the USB storage or edit files on the device.
No actions are blocked or prevented.
Read only
USB_ACTION_READ_ONLY
The Cybereason platform allows read-only access to the USB storage device.
Note
If you set the Device control mode to Read only/USB_ACTION_READ_ONLY on a sensor using a version earlier than 21.1.103, the Cybereason platform automatically changes the mode to Full access. To use Read only mode, the sensor must use version 21.1 and later.
Open files on the USB storage device
Copy files from the USB storage device
Launch executable files from the USB storage device.
Copy files to the USB storage device
Edit or delete files on the USB storage device.
Block
USB_ACTION_BLOCK_ALL
The Cybereason platform blocks access to the USB device on the machine to which the policy applies, and does not allow any interaction with this device.
Note
When you set the mode to Block/USB_ACTION_BLOCK_ALL, the Cybereason platform dismounts the USB device. The device might remain visible momentarily under This PC while the Cybereason platform dismounts the device. To use the USB device again, remove and reinsert the device into the endpoint.
None
All actions are forbidden.
Note
When you modify the Device control mode, and a USB storage or MTP device is inserted into the endpoint machine, the Cybereason platform may set a different mode for a specific device. For more information, see Modify the Device control mode.
Manage individual devices
When you select the Device control mode, you specify the default mode for access to all USB storage devices or all MTP devices on the machines to which the policy applies.
If you want to specify a different mode and set additional fields for a specific USB device, you can add that device to the table or import a CSV file in the Manage devices area.
You can manage USB devices in one of the following ways:
Add devices with the Device control CSV file that includes a list of devices to manage
Important
If you upload a Device control CSV file, the Cybereason platform deletes any USB devices you previously added to the table with the Add New button. To save the previous USB device details, click Export.
Add USB devices directly in a sensor policy
If you want to maintain all the details for individual devices, you can add these individual devices in the sensor policy.
To add devices in a sensor policy, follow these steps:
In the Endpoint Controls screen, in the Device control > Manage devices area, and click Add New.
Fill in the fields in the table. For more information, see Manage USB devices - fields description.
If you do not have the details on the device, see Find Device Details to learn how to find those details.
Note
If you add an MTP device to the table, and several components are visible for the device under Windows Device manager, you might need to add more than one component to the table. For more information, contact Technical Support.
Click the check mark (✓) to save.
The Modified by and Last modified fields display the user name and date for this USB device.
To add more USB devices, repeat steps 1-2 for each additional USB device.
You can then view the USB device or devices in the table.
To disable or enable a USB device, hover over the USB device row on the right side of the table, and click the Enabled or Disabled toggle:
To delete USB devices, do one of the following:
Add devices with the Device control CSV file
You can import USB device settings using a CSV file.
To add devices with a CSV file, follow these steps:
Note
You can import up to 200 entries in a single CSV file. You can add more entries manually directly in the sensor policy.
In the Endpoint Controls screen, in the Device control section, find the Manage devices area, .
If you previously added USB devices to the table under Manage devices, click Export to save the details of these USB devices before you import a CSV file (when you import a new CSV file, the new file overrides any existing USB device details).
Click Download Template, and in a CSV file editor, open the CSV file template, fill in the fields, and save the template with the .csv suffix (for example, usbdevices.csv).
For more information about the CSV file fields, see Manage USB devices - fields description and Find Device Details.
In the Device control section, click Import, navigate to the file that you created, and click Open.
If a dialog with an error is visible, fix the issues on the relevant columns or rows, and upload the CSV file again. To review the field descriptions and requirements, see Manage USB devices - fields description.
After the import, you can view the USB devices in the table.
To disable or enable a USB device, hover over the USB device row on the right side of the table, and click the Enabled or Disabled toggle:
To delete USB devices, do one of the following:
Manage USB devices - fields description
The following table describes the fields in the Manage devices area and in the Device control CSV file. UI refers to the fields or values under the Manage devices area in the sensor policy and CSV refers to the fields or values in the CSV file.
Field name |
Description |
Required/Optional |
Values |
Considerations |
---|---|---|---|---|
|
Defines the USB device class or type. |
Required |
|
|
Vendor |
Defines the vendor name. |
Required |
Type the vendor value in one of the following formats:
Note The format must be the same for both the vendor and product fields/columns. For example, if you type an ID for the vendor, you must also type an ID for the product. To retrieve the vendor name or ID, see Find the device vendor and product information on Windows machines or Find the device vendor and product information on macOS machines. For an online list of USB storage device vendor and product IDs, see List of USB vendors. |
|
Product |
Specifies the model or specific product for this vendor. |
Required |
Type the product value in one of the following formats:
Note The format must be the same for both the vendor and product fields/columns. For example, if you type an ID for the vendor, you must also type an ID for the product. To retrieve the vendor name or ID, see Find the device vendor and product information on Windows machines or Find the device vendor and product information on macOS machines. For an online list of USB storage device vendor and product IDs, see List of USB vendors. |
|
|
Specifies the serial number of the USB device. |
Optional; recommended |
Type the serial number. For example, type 12345. When you provide a serial number for a USB device, you increase the security effectiveness of the Device control capability and prevent potential risk. If you don’t provide a serial number, an alert is visible under the Serial Number field until you click the check mark (✓) to save. To find the serial number, see Find the device vendor and product information on Windows machines or Find the device vendor and product information on macOS machines. |
The USB device’s serial number has a different structure depending on whether the serial number is unique or non-unique. For more details on serial numbers, see Unique and non-unique serial numbers. |
|
Select the Device control mode for this USB device specifically. This setting allows you to define a different mode than the mode you set for all USB devices under Device control. |
Required |
Select one of the following modes:
|
For USB devices with the All or USB_CLASS_GENERAL device type, the Cybereason platform does not support the Full access/USB_ACTION_ALLOW_ALL and Read only/USB_ACTION_READ_ONLY modes. If you select the Full access/USB_ACTION_ALLOW_ALL mode, the Cybereason platform takes no action. If you select the Read only/USB_ACTION_READ_ONLY mode, a warning is visible and you cannot save the exclusion. |
Modified by |
Displays the user name of the last user that modified the exclusion. The Modified by field displays the user name after you click ✓ to save. You cannot modify this value. |
N/A |
N/A |
|
Last modified |
Displays the date of the last modification for this exclusion. The Last modified field displays the date after you click ✓ to save. You cannot modify this value. |
N/A |
N/A |
Modify the Device control mode
When you modify the Device control mode, and a USB storage or MTP device is inserted into the endpoint machine, the Cybereason platform may set a different mode for a specific device. The following tables describe the relevant scenarios.
From mode |
To mode |
Scenario |
Recommended action |
---|---|---|---|
Full access |
Read only |
In some cases, due to permission issues or other issues, the Cybereason platform cannot successfully set the mode to Read only for a specific USB storage device. In these cases, the Cybereason platform automatically blocks the USB storage device to protect the device. |
Remove and reinsert the USB storage device into the endpoint. |
Full access |
Read only |
If you set the Device control mode to Read only on a sensor using a version earlier than 21.1, the Cybereason platform automatically changes the mode to Full access. |
To use Read only mode, the sensor must use version 21.1 and later. |
Block |
Full access |
After you modify the mode to Full access, the USB storage or MTP device remains blocked until you reinsert the device. This occurs because the Cybereason platform dismounts blocked USB storage or MTP devices. |
After the Cybereason platform completes the policy update, remove and reinsert the USB storage or MTP device. |
Block |
Read only |
After you modify the mode to Read only, the USB storage device remains blocked until you reinsert the device. This occurs because the Cybereason platform dismounts blocked USB storage or MTP devices. In addition, in some cases, due to permission issues or other issues, the Cybereason platform cannot successfully set the mode to Read only for a specific device. In these cases, the Cybereason platform automatically blocks the USB storage device to protect the device. |
|
Read only |
Full access |
The Cybereason platform may not automatically apply the change. |
If the Cybereason platform does not update the mode, remove and reinsert the USB storage device into the endpoint. |