About Device Control rules

Kaspersky Security for Windows Server does not apply allowing rules for MTP-connected mobile devices.

The rules are generated uniquely for each device that is currently connected or has ever been connected to a protected device if the information about this device is stored in the system registry.

To generate allowing rules for device control:

• Apply the Rule Generator for Device Control task.
• Run the Device Control task in the Statistics only mode.
• Apply system information about previously connected devices.
• Expand the usage scope for already specified rules.

The maximum number of the Device Control rules supported by Kaspersky Security for Windows Server is 3072.

Device Control rules are described below.

Rule type

Rule type is always allowing. By default, the Device Control task blocks all flash drives and other external devices connections if these devices are not included into any allowing rule usage scope.

Triggering criterion and rule usage scope

Device Control rules identify flash drives and other external devices basing on Device instance path. Device instance path is a unique criterion that is assigned to a device by the system when the device is connected and is registered as an External Device or CD/DVD drive (for example, IDE or SCSI).

Kaspersky Security for Windows Server controls connection of the CD/DVD drives regardless of the bus used for connection. When mounting such device via USB, operating system registers two path values to the device instance: for the external device and for CD/DVD drive (for example, IDE or SCSI). To connect such devices correctly, allowing rules for each path value to the instance must be set.

Kaspersky Security for Windows Server automatically defines the device instance path and parses the value obtained into the following elements:

• Device manufacturer (VID)
• Device controller type (PID)
• Device serial number

You cannot set the device instance path manually. Allowing rule triggering criteria define the rule usage scope. By default, newly created rule usage scope includes one initial device, basing on whose properties Kaspersky Security for Windows Server had generated the rule. You can configure the values in the created rule settings by using a mask to expand the rule usage scope.

Initial device values

Device properties that Kaspersky Security for Windows Server used for allowing rule generation and that are displayed in Windows Device Manager for each device connected.

Initial device values contain the following information:

• Device instance path. Basing on this property Kaspersky Security for Windows Server defines rule triggering criteria and fills the following fields: Manufacturer (VID), Controller type (PID), Serial number in the Rule usage scope section of the Rule properties window.
• Friendly name. Device clear name that is set in the device properties by its manufacturer.

Kaspersky Security for Windows Server automatically defines initial device values when the rule is generating. Later on you can use these values to recognize the device that was used as a base for the rule generating. Initial device values are not available for editing.

Description

You can add additional information for each created device control rule in the Description field, for example, you can note name of the connected flash driver or define its owner. The description is displayed in a corresponding graph in the Device Control rules window.

Description and initial device values are not allowed for rule triggering and are prescribed only to simplify device identification by user.