The Device Control component allows you to manage user access to the devices that are installed on or connected to the client device (for example, hard drives, cameras, or Wi-Fi modules). Access management lets you protect the client device from infection when external devices are connected, and prevent data loss or leaks.
This feature is not supported in the KESL container.
The Device Control component is enabled automatically with the default settings when Kaspersky Endpoint Security starts.
Device Control manages user access on the following levels:
When a forbidden device is connected, the application denies access to the device to the users specified in the rule and displays a notification. During attempts to read and write on this device, the application silently blocks the users specified in the rule from reading/writing.
If you try to perform an operation with a device whose access mode is set to By rule, but no rule active at the time of access is found, the operation will be blocked.
For example, access may be denied to all devices connected via USB.
By default, the Depends on connection bus access mode is selected for all device types. The Allow access mode is selected for connection buses. Device Control grants users full access to all devices accordingly.
Blocking devices by device type or connection bus via the system device driver is not supported on the following Linux kernels: 3.10, 5.14, 5.15, 5.17, 6.1. On these kernels and in the By rule access mode, only the opening of files and reading of directories (that is, getting the names of files and directories) are blocked. On systems that do not support fanotify, blocking the reading of directories is also not supported.
When Device Control is enabled for the first time, it generates a DeviceAllowed event for all detected devices with a known device or bus type. No repeat events are generated upon subsequent component runs unless there were changes in the control settings for these devices.
When Device Control is disabled, the application unblocks access to blocked devices.
You can enable, disable, and configure Device Control:
If you are managing the application via the command line, you can view the IDs of connected devices by running kesl-control --get-device-list
on the client device.
If you are managing the application via Kaspersky Security Center, information about devices installed on, or connected to, the client devices can be sent to the Administration Server. The information sharing is enabled by default.
Information about devices is transferred if the client device is under the control of an active policy and synchronized with Network Agent (performed with the frequency specified in the Network Agent policy properties, by default – every 15 minutes).
In general application settings, if blocking access to files during scans is disabled, you cannot use a device access schedule to block access to devices.
Device Control ignores mount point exclusions. Access to a device mounted at an excluded point can be limited with Device Control settings.