Advanced Settings for Media Encryption

Authorization Scanning

In Advanced Settings > Authorization Scanning, you can specify authorized and unauthorized file types for scanning. The authorized and unauthorized scan configures the file types that you can allow and block.

To specify the file types:

  1. Select the scan mode:

    • Authorized

    • Unauthorized

  2. To add a file type:

    1. Click .

      The Add a File Type or Category window appears.

    2. From the drop down, select a file type or category.

    3. Click OK.

  3. To create a new file type:

    1. Click .

      The File type Add / Edit window appears.

    2. Enter the Name, Comments and File Extension.

    3. To add a File Signature:

      1. Click .

        The Add new file signature window appears.

      2. Select the Offset.

      3. In the Signature field, enter the file signature.

      4. Click OK.

      5. To delete a File Signature, select the file signature and click .

    4. Click OK.

  4. To edit a file, select the file and click .

  5. To delete a file, select the file and click .

UserCheck Messages

UserCheck for Media Encryption & Port ProtectionClosed A component on Endpoint Security Windows clients. This component protects data stored on the computers by encrypting removable media devices and allowing tight control over computers' ports (USB, Bluetooth, and so on). Acronym. MEPP. tells users about policy violations and shows them how to prevent unintentional data leakage. When a user tries to do an action that is not allowed by the policy, a message shows that explains the policy.

For example, you can optionally let users write to a storage device even though the policy does not allow them to do so. In this case, users are prompted to give justification for the policy exception. This justification is sent to the security administrator, who can monitor the activity.

Select any of these checkboxes to enable the UserCheck message:

  • Suggest to encrypt device when encryption is not mandatory

  • Suggest to encrypt device in order to get write access when inserting

  • Suggest to encrypt device in order to get write access when writing

  • Notify user that device has been blocked

  • Notify user that device has read only access

  • Notify when encrypting business related data

Advanced Encryption

  • Allow user to choose owner during encryption - Lets users manually define the device owner before encryption. This lets users create storage devices for other users. By default, the device owner is the user who is logged into the endpoint computer. The device owner must be an Active Directory user.

  • Allow user to change the size of encrypted media - Lets users change the percentage of a storage device that is encrypted, not to be lower than Minimum percentage of media capacity used for encrypted storage or Default percentage of media capacity used for encrypted storage. .

  • Allow users to remove encryption from media - Lets users decrypt storage devices.

  • When encrypting, unencrypted data will be - Select one of these actions for unencrypted data on a storage device upon encryption:

    • Copied to encrypted section - Unencrypted data is encrypted and moved to the encrypted storage device. We recommend that you back up unencrypted data before encryption to prevent data loss if encryption fails. For example, if there is insufficient space on the device.

    • Deleted - Unencrypted data is deleted.

    • Untouched - Unencrypted data is not encrypted or moved.

  • Secure format media before encryption - Run a secure format before encrypting the storage device. Select the number of format passes to do before the encryption starts.

  • Change device name and icon after encryption - When selected, after the device is encrypted, the name of the non-encrypted drive changes to Non Business Data and the icon changes to an open lock. When cleared, the name of the non-encrypted drive and the icon do not change after the device is encrypted.

  • When encrypting media, file system should be:

    • As already formatted -According to the original format.

    • ExFAT

    • FAT32

    • NTFS

    Allow user to change the file system of the encrypted storage - After storage was encrypted in a specific format, the user can change this format to another format.

Site Configuration

Site Actions control when to allow or prevent access to encrypted devices that were encrypted by different Endpoint Security Management Servers. Each Endpoint Security Management ServerClosed A Security Management Server that manages your Endpoint Security environment. Includes the Endpoint Security policy management and databases. It communicates with endpoint clients to update their components, policies, and protection data. (known as a Site) has a Universally Unique Identifier (UUID). When you encrypt a storage device on an Endpoint Security client, the Endpoint Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. UUID is written to the device. The Site action can prevent access to devices encrypted on a different Endpoint Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or from another organization. The Site action is enabled by default.

When a user attaches a storage device, Media Encryption & Port Protection makes sure that the device matches the UUID the Endpoint Security Management Server UUID or another trusted Endpoint Security Management Server. If the UUIDs match, the user can enter a password to access the device. If the UUID does not match, access to the device is blocked.

Allow access to storage devices encrypted at any site - Endpoint Security clients can access encrypted devices that were encrypted at any site.

Allow access to storage devices encrypted at current site only - Media Encryption Site (UUID) verification is enabled. Endpoint Security clients can only access encrypted devices that were encrypted by the same Endpoint Security Management Server.

Lockout Settings

You can configure Media Encryption & Port Protection in the Lockout Settings to lock a device after a specified number of unsuccessful log in attempts.

To configure lockout settings:

  1. Select Lock storage device after failed authentication attempts.

  2. To lock the storage device temporarily:

    1. Select Temporarily lock device.

    2. In the Temporarily lock device after authentication failed field, enter the failed log in attempts after which the system should lock the device.

    Notes:

    • If a device is locked temporarily, users can try to authenticate again after the specified time.

    • A temporary lock only occurs when its value is less than the permanent lock.

  3. To lock the storage device permanently:

    1. Select Permanently lock device.

    2. In the Permanently lock device after authentication failed field, enter the failed log in attempts after which the system should permanently lock the device. This should be greater than the value specified in Temporarily lock device after authentication failed field.

      Note - If the device is locked permanently, users can request to unlock through Remote HelpClosed Users can be denied access to their Full Disk Encryption-protected computers or Media Encryption & Port Protection-protected devices for many different reasons. Remote Help can help users in these types of situations. The user contacts the Help Desk or specified administrator and follows the recovery procedure.. For more information, see Media Encryption Remote Help.

  4. In the Duration for temporary storage device lock field, enter the duration after the failed log in attempts the system should unlock the device.

Offline Access

Password protect media for access in offline mode - Lets users assign a password to access a storage device from a computer that is not connected to an Endpoint Security Management Server. Users can also access the storage device with this password from a non-protected computer

Allow user to recover their password using remote help - Lets user recover passwords using remote help.

Copy utility to media to enable media access in non-protected environments - Copies the Explorer utility to the storage device. This utility lets users access the device from computers that are not connected to an Endpoint Security Management Server.

Password Constraints

You can specify the password requirements for users to follow to log in to the device.

To configure the password constraints, select one of these:

  • Use Windows Complexity Requirements

  • Use Custom Requirements

    • Consecutive identical characters are not allowed

    • Require special characters

    • Require digits

    • Require lower case characters

    • Require upper case characters

    • Password must not contain user name or full name

    • In the Minimum length of password field, enter the number of characters required in the password. The minimum supported length is four characters.