About the Rule Generator for Device Control
August 3, 2023
ID 148412
You can import device control allowing rules from the XML files that were automatically generated during the Device Control or the Rule Generator for Device Control tasks running.
By default, Kaspersky Industrial CyberSecurity for Nodes blocks connections of any flash drives and other external devices, if they are not included into the usage scope of specified device control rules.
Purposes and scenarios for generating device control rules
Rule generation scenario | Target |
The Rule Generator for Device Control task |
Rules generation based on system data | Add allowing rules for one or several external devices, whose data have been stored in the system. |
Rules generation based on data about the currently connected devices | Renew an already specified rules list when it is necessary to trust a little amount of new external devices. |
The Device Control task in the Statistics only mode | Generate allowing rules for a large number of trusted devices. |
The Rule Generator for Device Control task usage
XML file, generated upon the Rule Generator for Device Control task completion, contains allowing rules for those flash drives and other external devices whose data have been stored in a system registry.
Use this scenario during the rule generation process to take into account all ever connected external devices that are registered by the systems on all network protected device or to consider only data about devices currently connected to all network protected device. The task also allows for all external devices that a connected at the moment of task running. Upon the group task completion Kaspersky Industrial CyberSecurity for Nodes generates allowing rules lists for all external devices registered in the network and saves these lists in an XML file in a specified folder. Then you can manually import generated rules in the Device Control task settings. Unlike a task on a protected device, the policy does not allow configuring the automatic addition of the created rules to the list of Device Control rules when the Rule Generator for Device Control group task is completed.
This scenario is recommended to generate allowing rules list before the first start of the Device Control task, so that allowing rules generated cover all trusted external devices that are used on a protected device.
Usage of system data about all connected devices
During the task running, Kaspersky Industrial CyberSecurity for Nodes receives system data about all external devices that have ever been connected or that are currently connected to a protected device, and displays detected devices in the list of the Generate rules based on the system information window.
For each detected device Kaspersky Industrial CyberSecurity for Nodes parses the values of manufacturer (VID), controller type (PID), friendly name, serial number and device instance path. You can generate allowing rules for any external device, whose data have been stored in the system, and straightly add newly created rules to the list of the device control rules.
According to this scenario Kaspersky Industrial CyberSecurity for Nodes generates allowing rules for external devices that have ever been connected or are currently connected to a protected device with Kaspersky Security Center installed.
This scenario is recommended to renew an already specified rules list when it is necessary to trust a little amount of new external devices.
Usage of data about the currently connected devices
In this scenario, Kaspersky Industrial CyberSecurity for Nodes generates allowing rules only for currently connected external devices. You can select one or more external devices for which you want to generate allowing rules.
Usage of the Device Control task in the Statistics only mode
XML file received upon the Device Control task completion in the Statistics only mode is generated basing on the task log.
During the task running Kaspersky Industrial CyberSecurity for Nodes logs information about all connections of flash drives and other external devices to a protected device. You can generate allowing rules based on task events and export them to an XML file. Before starting the task in the Statistics only mode, it is recommended to configure the task running period so that during the term specified all the possible external devices connections to a protected device would be performed.
This scenario is recommended to renew an already generated rules list if it is required to allow a large number of new external devices.
If the rule list generation according to this scenario is performed on a template machine, you can apply a generated allowing rules list while configuring the Device Control task via the Kaspersky Security Center. This way you will be able to allow to use the external devices that are connected to a template machine on all the protected devices.