Device Control

The Device Control component allows you to manage user access to the devices that are installed on or connected to the client device (for example, hard drives, cameras, or Wi-Fi modules). Access management lets you protect the client device from infection when external devices are connected, and prevent data loss or leaks.

This feature is not supported in the KESL container.

The Device Control component is enabled automatically with the default settings when Kaspersky Endpoint Security starts.

Device Control manages user access on the following levels:

• Device type as classified by Device Control, such as printers, removable drives, or CD/DVD drives. One of the following access modes can be applied to each device type:
  • Allow, to allow access to devices of this type.
  • Block, to block access to devices of this type.
  • Depends on bus: allow or block access to devices depending on the access mode set for the bus through which the device is connected.
  • By rule: allow or block access to devices depending on the access rules. A device access rule is a set of options that determine which users can access devices that are installed on the client device or connected to it, and at what time.

    When a forbidden device is connected, the application denies access to the device to the users specified in the rule and displays a notification. During attempts to read and write on this device, the application silently blocks the users specified in the rule from reading/writing.

    If you try to perform an operation with a device whose access mode is set to By rule, but no rule active at the time of access is found, the operation will be blocked.

• Connection bus. Connection bus is an interface that devices use to connect to the client device, such as USB or FireWire. One of the following access modes can be applied to connection buses:
  • Allow: grant access to devices connected through this connection bus.
  • Block: deny access to devices connected using this connection bus.

  For example, access may be denied to all devices connected via USB.

By default, the Depends on connection bus access mode is selected for all device types. The Allow access mode is selected for connection buses. Device Control grants users full access to all devices accordingly.

Blocking devices by device type or connection bus via the system device driver is not supported on the following Linux kernels: 3.10, 5.14, 5.15, 5.17, 6.1. On these kernels and in the By rule access mode, only the opening of files and reading of directories (that is, getting the names of files and directories) are blocked. On systems that do not support fanotify, blocking the reading of directories is also not supported.

When Device Control is enabled for the first time, it generates a DeviceAllowed event for all detected devices with a known device or bus type. No repeat events are generated upon subsequent component runs unless there were changes in the control settings for these devices.

When Device Control is disabled, the application unblocks access to blocked devices.

You can enable, disable, and configure Device Control:

• Select the application's operation mode when there is an attempt to access a device to which access is prohibited by Device Control settings: block or only notify about the attempt to access the device.
• Select a device access mode depending on the type.
• Select an access mode for the bus through which the devices are connecting.
• Remove individual devices from the scope of Device Control by adding them to the list of trusted devices. Trusted devices are devices to which users have full access. You can add devices to a list of trusted devices by identifier or identifier mask. For example, you can limit access to specific USB devices or only to USB drives; access to other USB devices is denied.

  If you are managing the application via the command line, you can view the IDs of connected devices by running kesl-control --get-device-list on the client device.

  If you are managing the application via Kaspersky Security Center, information about devices installed on, or connected to, the client devices can be sent to the Administration Server. The information sharing is enabled by default.

  Information about devices is transferred if the client device is under the control of an active policy and synchronized with Network Agent (performed with the frequency specified in the Network Agent policy properties, by default – every 15 minutes).

• Define an access schedule for devices: only hard drives, removable drives, floppy disks, and CD/DVD drives.

  In general application settings, if blocking access to files during scans is disabled, you cannot use a device access schedule to block access to devices.

• You can define access rules for devices depending on their type. Allow or block access for specified users at a specified time.

Device Control ignores mount point exclusions. Access to a device mounted at an excluded point can be limited with Device Control settings.

In this Help section Configuring Device Control in the Web Console Configuring Device Control in the Administration Console Configuring Device Control on the command line

Page top