About Device Control task

Kaspersky Embedded Systems Security for Windows controls the registration and usage of external and built-in devices and CD/DVD drives to protect the computer against security threats that may arise when these devices share files.

Kaspersky Embedded Systems Security for Windows controls the following devices connections:

• Controlled by default:
  • Removable USB drives, including UAS devices
  • CD/DVD ROM drives
  • USB floppy disk readers
  • USB network adapters
  • MTP mobile devices connected via USB
• Control is disabled by default and needs to be enabled individually:
  • Bluetooth devices connected via USB adapters

    Kaspersky Embedded Systems Security for Windows can monitor Bluetooth devices connected via USB adapters on nodes running Windows 7 SP1 / Server 2008 R2 SP1 or later

  • USB keyboards
  • USB mice
  • SD card readers connected via USB or the PCI bus.

    Kaspersky Embedded Systems Security for Windows does not control SD card readers connected via other interfaces.

The application notifies the user about all devices on the controlled list with an appropriate event in the event and task logs. The event details include device type and connection path.

You can create Device Control allow rules (Device Control rules) for devices that you want to allow to connect to the protected device.

The Device Control task monitors attempts by devices on the controlled list to connect to the protected device and blocks the connection if they do not fall within the scope of Device Control rules. After the connection is blocked, the device becomes unavailable.

Kaspersky Embedded Systems Security for Windows identifies devices that are registered in the system, by using the Device Instance Path value. Device Instance Path is a default feature uniquely specified for each external device. The Device Instance Path value is specified for each device in its Windows properties and is determined by Kaspersky Embedded Systems Security for Windows automatically when Device Control rules are generated.

The application assigns one of the following statuses to each connected device on the controlled list:

• Trusted. A device that is allowed to connect to the protected device. The device instance path is included in the scope of the Device Control rule.
• Untrusted. A device that is blocked from connecting to the protected device. The device instance path is not included in the scope of the Device Control rule.

The Device Control task can operate in two modes:

• Active. By default, Kaspersky Embedded Systems Security for Windows blocks all devices on the controlled list, except for trusted ones.

  If an external device you consider to be untrusted is connected to the protected device before the Device Control task starts in Active mode, the device will not be blocked by the application. We recommend that you disconnect the untrusted device manually or restart the protected device. Otherwise, the Default Deny principle will not apply to the device.

• Statistics only. Kaspersky Embedded Systems Security for Windows does not block controlled devices from connecting. It only adds information about the connection and registration of devices on the protected device, and about the Device Control allow rules triggered by the connected devices, to the task log. This mode is set by default.

Page top