McAfee Data Loss Prevention 9.2.2 Product Guide

Integrating McAfee DLP EndpointControlling devices 56 Select or enter values that define the parameter.Click + to add additional parameters.7 Click Save.Using device rulesDevice rules are made up of device definitions and user assignment rules that can be used to controlusage of groups of devices. They can be used to trigger actions or use whitelisted applicationdefinitions when the devices are used.Devices attached to enterprise managed computers — such as smartphones, removable storagedevices, Bluetooth devices, MP3 players, or Plug and Play devices — can be monitored or blockedusing device rules, allowing you to monitor and control their use in the distribution of sensitiveinformation.Device rules must be activated before they can be used.Different sets of rules can be devised for the enterprise workforce based on roles and needs. Forexample, while the majority of workers are not allowed to copy enterprise data to removable storagedevices, the IT and sales force can use these devices, and are only monitored by the system. This kindof scenario can be implemented by using the properties of the specific device with a suitable devicerule.Plug and Play and Removable Storage Device rules can define a device as read only. Removable Storage File Accessrules might be used to control executables and to include or exclude whitelisted applications.Types of device rulesDevice rules are used to control sensitive data that can be compromised by use of devices at networkendpoints.There are three types of device rule: Plug and Play, removable storage, and removable storage file access.Plug and play and removable storage device rules can be pre‐programmed to monitor or block usage of endpointdevices by users, take action when violations occur, and alert other users to those events. Removablestorage device rules can also prevent data on devices from being appended, modified, or copied. Forexample, users might be allowed to listen to MP3 players, but their potential use as storage devicescan be disallowed.Removable storage file access rules block executables on plug‐in devices from running, and they can also beused to include or exclude whitelisted applications, depending on who is using them. For example,some applications, such as encryption applications on encrypted devices, must be allowed to run, andtheir executables can be exempted from the blocking rule.File access rules determine if a file is an executable by its extension. The following extensions areblocked: .bat, .cgi, .cmd, .com, .cpl, .dll, .exe, .jar, .msi, .py, .pyc, .scr, .vb, .vbs, .ws, and .wsf. Inaddition, files that might be executed from within archives, like .cab, .rar, and .zip files, can also beblocked.Because block is the only action that is supported by file access rules, there is no need to select actions,as in the other device rules. The file filter driver cannot differentiate between opening and creating anexecutable; it simply blocks them.McAfee Data Loss Prevention 9.2.2 Product Guide 165