About Device Control rules
August 3, 2023
Kaspersky Industrial CyberSecurity for Nodes does not apply allowing rules for MTP-connected mobile devices.
The rules are generated uniquely for each device that is currently connected or has ever been connected to a protected device if the information about this device is stored in the system registry.
To generate allowing rules for device control:
- Apply the Rule Generator for Device Control task.
- Run the Device Control task in the Statistics only mode.
- Apply system information about previously connected devices.
- Expand the usage scope for already specified rules.
The maximum number of the Device Control rules supported by Kaspersky Industrial CyberSecurity for Nodes is 3072.
Device Control rules are described below.
Rule type is always allowing. By default, the Device Control task blocks all flash drives and other external devices connections if these devices are not included into any allowing rule usage scope.
Triggering criterion and rule usage scope
Device Control rules identify flash drives and other external devices basing on Device instance path. Device instance path is a unique criterion that is assigned to a device by the system when the device is connected and is registered as an External Device or CD/DVD drive (for example, IDE or SCSI).
Kaspersky Industrial CyberSecurity for Nodes controls connection of external CD/DVD drives regardless of the bus used for connection. When mounting such device via USB, operating system registers two path values to the device instance: for the external device and for CD/DVD drive (for example, IDE or SCSI). To connect such devices correctly, allowing rules for each path value to the instance must be set.
Kaspersky Industrial CyberSecurity for Nodes automatically defines the device instance path and parses the value obtained into the following elements:
- Device manufacturer (VID)
- Device controller type (PID)
- Device serial number
You cannot set the device instance path manually. Allowing rule triggering criteria define the rule usage scope. By default, the usage scope of a newly created allowing rule includes the one initial device whose properties Kaspersky Industrial CyberSecurity for Nodes used to generate the rule. You can configure the values in the created rule settings by using a mask to expand the rule usage scope.
Initial device values
Device properties that Kaspersky Industrial CyberSecurity for Nodes used for allowing rule generation and that are displayed in Windows Device Manager for each device connected.
Initial device values contain the following information:
- Device instance path. Based on this property, Kaspersky Industrial CyberSecurity for Nodes defines rule triggering criteria and fills the following fields: Manufacturer (VID), Controller type (PID), and Serial number in the Rule usage scope block of the Rule properties window.
- Friendly name. Device clear name that is set in the device properties by its manufacturer.
Kaspersky Industrial CyberSecurity for Nodes automatically defines initial device values when the rule is generating. Later on you can use these values to recognize the device that was used as a base for the rule generating. Initial device values are not available for editing.
You can add additional information for each created Device Control rule in the Description field, for example, you can note name of the connected flash driver or the name of its owner. The comment is displayed in the corresponding field in the Device Control rules window.
Description and initial device values are not allowed for rule triggering and are prescribed only to simplify device identification by user.