The Device Control component allows you to manage user access to the devices that are installed on or connected to the client device (for example, hard drives, cameras, or Wi-Fi modules). Access management lets you protect the client device from infection when external devices are connected, and prevent data loss or leaks.
The Device Control component is enabled automatically with the default settings when Kaspersky Endpoint Security starts.
Device Control manages user access on the following levels:
If you try to perform an operation with a device whose access mode is set to By rule, but no rule active at the time of access is found, the operation is blocked.
For example, access may be denied to all devices connected via USB.
By default, the Depends on connection bus access mode is selected for all device types. The Allow access mode is selected for connection buses. Device Control grants users full access to all devices accordingly.
When Device Control is enabled for the first time, it generates a DeviceAllowed event for all detected devices with a known device or bus type. No repeat events are generated upon subsequent component runs unless there were changes in the control settings for these devices.
When Device Control is disabled, the application unblocks access to blocked devices.
Device Control does not block system drives. If the application cannot automatically detect the system drive, the Device Control component terminates with an error.
Blocking devices by device type or connection bus via the system device driver is not supported on the following Linux kernels: 3.10, 5.14, 5.15, 5.17, 6.1, 6.8. On these kernels and in the By rule access mode, only the opening of files and reading of directories (that is, getting the names of files and directories) are blocked. On systems that do not support fanotify, blocking the reading of directories is also not supported.
You can enable, disable, and configure Device Control:
You can manage the list of trusted devices on the command line or using Kaspersky Security Center.
You can add devices to a list of trusted devices by identifier or identifier mask. You can get information about devices installed on client devices or connected to client devices using the command line on a client device or using Kaspersky Security Center. Information sharing with the Kaspersky Security Center Administration Server is enabled by default.
Information about devices is transferred if the client device is under the control of an active policy and synchronized with Network Agent (performed with the frequency specified in the Network Agent policy properties, by default – every 15 minutes).
If you are managing the application using Kaspersky Security Center, you can also add devices to the list of trusted devices using the list of devices detected on the managed client devices. The list is displayed in the policy properties in the Web Console or the Administration Console.
You can export the configured list of trusted devices to a file or import a list of trusted devices from a file.
In general application settings, if blocking access to files during scans is disabled, you cannot use a device access schedule to block access to devices.
Device Control ignores mount point exclusions. Access to a device mounted at an excluded point can be limited with Device Control settings.