To prevent data leaks, the Device Control option applies rules and exceptions to Allow, Block, or Custom the policy rules on external devices once the antimalware option is applied to the endpoints.

Devices already connected to Qualys endpoints are discovered after you restart the corresponding endpoints.

The set of following exceptions might differ for each Device Class:

  • Allow- the device class can be implemented on the target endpoint.
  • Block- the device class cannot be implemented on the target endpoint. If you block a device class, the user will be notified that the device is blocked. 
  • Custom- you can assign different permissions for each type of port. If you select Custom to set permissions, you can select multiple ports to include in the device control.

The following table lists the Device Class and the exceptions for Windows:

Device Class Allow Block Custom
Bluetooth Devices Supported Supported PCI, PCMCIA, and USB
CDROM Drives Supported Supported Not Supported
IEEE 1284.4 Supported Supported Others, Firewire, IDE, ISA Plug & Play, PCI, PCMCIA, SCSI, and USB
IEEE 1394 Supported Supported Others, Firewire, IDE, ISA Plug & Play, PCI, PCMCIA, SCSI, and USB
Imaging Devices Supported Supported Others, Firewire, IDE, ISA Plug & Play, PCI, PCMCIA, SCSI, and USB
Modems Supported Supported Others, Firewire, IDE, ISA Plug & Play, PCI, PCMCIA, SCSI, and USB
Tape Drives Supported Supported Others, Firewire, IDE, ISA Plug & Play, PCI, PCMCIA, SCSI, and USB
Windows Portable Supported Supported Others, Firewire, IDE, ISA Plug & Play, PCI, PCMCIA, SCSI, and USB
COM/LPT Ports Supported Supported Others, Firewire, IDE, ISA Plug & Play, PCI, PCMCIA, SCSI, and USB
Printers Supported Supported Others, Firewire, IDE, ISA Plug & Play, PCI, PCMCIA, SCSI, and USB
Network Adapters Supported Not Supported Not Supported
Wireless Network Adapters Supported Not Supported Not Supported
Internal Storage Supported Not Supported Not Supported
External Storage Supported Supported Others, Firewire, IDE, ISA Plug & Play, PCI, PCMCIA, SCSI, and USB

In the following procedure of Device Control, we have selected Bluetooth Device Class as an example:

  1. Toggle Device Control to edit permissions for the devices. In the following screenshot, we have selected Bluetooth Device Class:

  2. By default, the Permission is set as Allowed. To change the permission, click edit icon under the Actions column.
  3. You can change the permission from Allow to Block or Custom. If you change the permission to Custom, you should also select the permissions for the type of ports listed.

    To unblock a blocked connected device, restart the system or reconnect the device to use it again.

    Edit Rule window in the Device Control option.

  4. Click Save.

    The following screenshot displays an example of the updated changes for the Bluetooth Device Class with the Custom Permission:

Once the device class permissions are configured in the Device Control, you can exclude the devices in the Exclusions step. For more information about device control exclusion, refer Exclusion Support.