Set the Device Control Access Modes

You manage Device Control access policy modes and access policies directly in a sensor policy.

When you enable the Device control option in a sensor policy, you permit the Cybereason platform to detect, restrict, and/or block removable storage devices that are connected to machines assigned that policy.

Enable Device control

You can enable Device control for all USB storage devices, for all mobile/media devices, or for an individual USB device.

  1. In your sensor policy, navigate to the Endpoint Controls screen.

  2. In the Endpoint Controls screen, in the Device Controls section, set the Device control toggle to On.

    Device Control Enabled

  3. Select the Device control mode in the respective section.

    • For all USB storage devices, select the mode under the USB (Mass storage) section.

    • For all mobile or media devices, select the mode under the Mobile/Media (MTP) section.

    You can also use the Manage devices area either to set a different mode for a specific USB storage or MTP device, or to configure other types of USB devices.

    Mode name

    Mode name - CSV file

    Description

    Permitted endpoint operations

    Forbidden endpoint operations

    Full access

    USB_ACTION_ALLOW_ALL

    The Cybereason platform allows users to fully access USB storage or MTP devices inserted into endpoints to which the policy applies. While the Cybereason platform monitors the USB storage or MTP devices, it does not interfere with the device’s default behavior on the machine.

    Full access the USB storage or MTP device. For example, a user can copy files from the USB storage or edit files on the device.

    No actions are blocked or prevented.

    Read only

    USB_ACTION_READ_ONLY

    The Cybereason platform allows read-only access to the USB storage device.

    Note

    If you set the Device control mode to Read only/USB_ACTION_READ_ONLY on a sensor using a version earlier than 21.1.103, the Cybereason platform automatically changes the mode to Full access. To use Read only mode, the sensor must use version 21.1 and later.

    • Open files on the USB storage device

    • Copy files from the USB storage device

    • Launch executable files from the USB storage device.

    • Copy files to the USB storage device

    • Edit or delete files on the USB storage device.

    Block

    USB_ACTION_BLOCK_ALL

    The Cybereason platform blocks access to the USB device on the machine to which the policy applies, and does not allow any interaction with this device.

    Note

    When you set the mode to Block/USB_ACTION_BLOCK_ALL, the Cybereason platform dismounts the USB device. The device might remain visible momentarily under This PC while the Cybereason platform dismounts the device. To use the USB device again, remove and reinsert the device into the endpoint.

    None

    All actions are forbidden.

    Note

    When you modify the Device control mode, and a USB storage or MTP device is inserted into the endpoint machine, the Cybereason platform may set a different mode for a specific device. For more information, see Modify the Device control mode.

Manage individual devices

When you select the Device control mode, you specify the default mode for access to all USB storage devices or all MTP devices on the machines to which the policy applies.

If you want to specify a different mode and set additional fields for a specific USB device, you can add that device to the table or import a CSV file in the Manage devices area.

You can manage USB devices in one of the following ways:

Important

If you upload a Device control CSV file, the Cybereason platform deletes any USB devices you previously added to the table with the Add New button. To save the previous USB device details, click Export.

Add USB devices directly in a sensor policy

If you want to maintain all the details for individual devices, you can add these individual devices in the sensor policy.

To add devices in a sensor policy, follow these steps:

  1. In the Endpoint Controls screen, in the Device control > Manage devices area, and click Add New.

  2. Fill in the fields in the table. For more information, see Manage USB devices - fields description.

    If you do not have the details on the device, see Find Device Details to learn how to find those details.

    Note

    If you add an MTP device to the table, and several components are visible for the device under Windows Device manager, you might need to add more than one component to the table. For more information, contact Technical Support.

  3. Click the check mark () to save.

    The Modified by and Last modified fields display the user name and date for this USB device.

  4. To add more USB devices, repeat steps 1-2 for each additional USB device.

    You can then view the USB device or devices in the table.

    Device Control Exclusions - Serial Number Alert

  5. To disable or enable a USB device, hover over the USB device row on the right side of the table, and click the Enabled or Disabled toggle:

    Device Control Exclusions - Enabled/Disabled

  6. To delete USB devices, do one of the following:

    • To delete a single USB device, click the Delete icon (Device Control Exclusions - Delete Icon).

    • To delete the entire list of USB devices, click Clear devices. This command clears the set of USB devices you previously added or uploaded.

Add devices with the Device control CSV file

You can import USB device settings using a CSV file.

To add devices with a CSV file, follow these steps:

Note

You can import up to 200 entries in a single CSV file. You can add more entries manually directly in the sensor policy.

  1. In the Endpoint Controls screen, in the Device control section, find the Manage devices area, .

  2. If you previously added USB devices to the table under Manage devices, click Export to save the details of these USB devices before you import a CSV file (when you import a new CSV file, the new file overrides any existing USB device details).

  3. Click Download Template, and in a CSV file editor, open the CSV file template, fill in the fields, and save the template with the .csv suffix (for example, usbdevices.csv).

    For more information about the CSV file fields, see Manage USB devices - fields description and Find Device Details.

  4. In the Device control section, click Import, navigate to the file that you created, and click Open.

    If a dialog with an error is visible, fix the issues on the relevant columns or rows, and upload the CSV file again. To review the field descriptions and requirements, see Manage USB devices - fields description.

    After the import, you can view the USB devices in the table.

    Device Control Exclusions - Serial Number Alert

  5. To disable or enable a USB device, hover over the USB device row on the right side of the table, and click the Enabled or Disabled toggle:

    Device Control Exclusions - Enabled/Disabled

  6. To delete USB devices, do one of the following:

    • To delete a single USB device, click the Delete icon (Device Control Exclusions - Delete Icon).

    • To delete the entire list of USB devices, click Clear devices. This command clears the set of USB devices you previously added or uploaded.

Manage USB devices - fields description

The following table describes the fields in the Manage devices area and in the Device control CSV file. UI refers to the fields or values under the Manage devices area in the sensor policy and CSV refers to the fields or values in the CSV file.

Field name

Description

Required/Optional

Values

Considerations

  • UI: Class

  • CSV: classType

Defines the USB device class or type.

Required

  • USB (Mass storage) (UI; default value) or USB_CLASS_MASS_STORAGE (CSV): Indicates that the device is a USB storage device. For more information, see Check whether a device is a USB mass storage device on Windows machines.

  • Mobile/Media (MTP) (UI) or USB_CLASS_MTP (CSV): Indicates that the device is a Media Transfer Protocol (MTP) device, which refers to mobile or media devices.

  • All (UI) or USB_CLASS_GENERAL (CSV): Indicates that the device is any USB device that is not a USB storage device or an MTP device.

  • If you add an MTP device to the table, and several components are visible for the device under Windows Device manager, you might need to add more than one component to the table. For more information, contact Technical Support.

  • For the All or USB_CLASS_GENERAL device type, the Cybereason platform only allows you to add USB devices that you can disable via Windows Device Manager. To check whether you can add the device, open Device Manager, and right-click the device. You can only add the device if the Disable option is visible (if only the Uninstall option is visible, you cannot exclude the device).

Vendor

Defines the vendor name.

Required

Type the vendor value in one of the following formats:

  • The vendor name. The name is not case-sensitive. For example, type either SanDisk or sandisk.

  • The vendor ID, for example, 0781.

Note

The format must be the same for both the vendor and product fields/columns. For example, if you type an ID for the vendor, you must also type an ID for the product.

To retrieve the vendor name or ID, see Find the device vendor and product information on Windows machines or Find the device vendor and product information on macOS machines. For an online list of USB storage device vendor and product IDs, see List of USB vendors.

Product

Specifies the model or specific product for this vendor.

Required

Type the product value in one of the following formats:

  • The product name. The product name is not case-sensitive. For example, type either Ultra Fit or ULTRA_FIT.

  • The product ID, for example, type 5583.

Note

The format must be the same for both the vendor and product fields/columns. For example, if you type an ID for the vendor, you must also type an ID for the product.

To retrieve the vendor name or ID, see Find the device vendor and product information on Windows machines or Find the device vendor and product information on macOS machines. For an online list of USB storage device vendor and product IDs, see List of USB vendors.

  • UI: Serial number

  • CSV: serial

Specifies the serial number of the USB device.

Optional; recommended

Type the serial number. For example, type 12345.

When you provide a serial number for a USB device, you increase the security effectiveness of the Device control capability and prevent potential risk. If you don’t provide a serial number, an alert is visible under the Serial Number field until you click the check mark () to save.

To find the serial number, see Find the device vendor and product information on Windows machines or Find the device vendor and product information on macOS machines.

The USB device’s serial number has a different structure depending on whether the serial number is unique or non-unique. For more details on serial numbers, see Unique and non-unique serial numbers.

  • UI: Mode

  • CSV: action

Select the Device control mode for this USB device specifically. This setting allows you to define a different mode than the mode you set for all USB devices under Device control.

Required

Select one of the following modes:

  • Full access (UI; default value) or USB_ACTION_ALLOW_ALL (CSV)

  • Read only (UI) or USB_ACTION_READ_ONLY (CSV)

  • Block (UI) or USB_ACTION_BLOCK_ALL (CSV)

For USB devices with the All or USB_CLASS_GENERAL device type, the Cybereason platform does not support the Full access/USB_ACTION_ALLOW_ALL and Read only/USB_ACTION_READ_ONLY modes.

If you select the Full access/USB_ACTION_ALLOW_ALL mode, the Cybereason platform takes no action. If you select the Read only/USB_ACTION_READ_ONLY mode, a warning is visible and you cannot save the exclusion.

Modified by

Displays the user name of the last user that modified the exclusion. The Modified by field displays the user name after you click to save. You cannot modify this value.

N/A

N/A

Last modified

Displays the date of the last modification for this exclusion. The Last modified field displays the date after you click to save. You cannot modify this value.

N/A

N/A

Modify the Device control mode

When you modify the Device control mode, and a USB storage or MTP device is inserted into the endpoint machine, the Cybereason platform may set a different mode for a specific device. The following tables describe the relevant scenarios.

From mode

To mode

Scenario

Recommended action

Full access

Read only

In some cases, due to permission issues or other issues, the Cybereason platform cannot successfully set the mode to Read only for a specific USB storage device.

In these cases, the Cybereason platform automatically blocks the USB storage device to protect the device.

Remove and reinsert the USB storage device into the endpoint.

Full access

Read only

If you set the Device control mode to Read only on a sensor using a version earlier than 21.1, the Cybereason platform automatically changes the mode to Full access.

To use Read only mode, the sensor must use version 21.1 and later.

Block

Full access

After you modify the mode to Full access, the USB storage or MTP device remains blocked until you reinsert the device. This occurs because the Cybereason platform dismounts blocked USB storage or MTP devices.

After the Cybereason platform completes the policy update, remove and reinsert the USB storage or MTP device.

Block

Read only

After you modify the mode to Read only, the USB storage device remains blocked until you reinsert the device. This occurs because the Cybereason platform dismounts blocked USB storage or MTP devices.

In addition, in some cases, due to permission issues or other issues, the Cybereason platform cannot successfully set the mode to Read only for a specific device. In these cases, the Cybereason platform automatically blocks the USB storage device to protect the device.

  1. After the Cybereason platform completes the policy update, remove and reinsert the USB storage device.

  2. If the Cybereason platform did not successfully modify the mode to Read only, remove and reinsert the USB storage device again.

Read only

Full access

The Cybereason platform may not automatically apply the change.

If the Cybereason platform does not update the mode, remove and reinsert the USB storage device into the endpoint.