Advanced Settings for Media Encryption

Authorization Scanning

In Advanced Settings > Authorization Scanning, you can specify authorized and unauthorized file types for scanning. The authorized and unauthorized scan configures the file types that you can allow and block.

To specify the file types:

  1. Select the scan mode:

    • Authorized

    • Unauthorized

  2. To add a file type:

    1. Click .

      The Add a File Type or Category window appears.

    2. From the drop down, select a file type or category.

    3. Click OK.

  3. To create a new file type:

    1. Click .

      The File type Add / Edit window appears.

    2. Enter the Name, Comments and File Extension.

    3. To add a File Signature:

      1. Click .

        The Add new file signature window appears.

      2. Select the Offset.

      3. In the Signature field, enter the file signature.

      4. Click OK.

      5. To delete a File Signature, select the file signature and click .

    4. Click OK.

  4. To edit a file, select the file and click .

  5. To delete a file, select the file and click .

UserCheck Messages

UserCheck for Media Encryption & Port ProtectionClosed A component of the Endpoint Security client that protects data stored on computers by encrypting removable media devices and allowing tight control over computers' ports (USB, Bluetooth, and so on). Acronym. MEPP. tells users about policy violations and shows them how to prevent unintentional data leakage. When a user tries to do an action that is not allowed by the policy, a message shows that explains the policy.

For example, you can optionally let users write to a storage device even though the policy does not allow them to do so. In this case, users are prompted to give justification for the policy exception. This justification is sent to the security administrator, who can monitor the activity.

Enabling the UserCheck messages

Select the checkbox to enable the UserCheck message:

  • Suggest to encrypt device when encryption is not mandatory

  • Suggest to encrypt device in order to get write access when inserting

  • Suggest to encrypt device in order to get write access when writing

  • Notify user that device has been blocked

  • Notify user that device has read only access

  • Notify when encrypting business related data

Customizing the UserCheck messages

You can customize UserCheck messages including the title, notification message, replacement text for the OK and Cancel buttons and also present them in multiple languages.

To customize the UserCheck messages:

  1. Click Edit for the particular UserCheck message you need to customize.

  2. Customize the message:

    • Message languages - Select multiple languages to add messages in different languages.

    • Edit language - Select the language to modify the message for the selected language.

      • Title - Edit the title of the notification.

      • Main text - Edit the text of the notification.

      • Body text - Edit the text of the notification.

      • OK button - Modify the UI text for the OK button.

      • Cancel button - Modify the UI text for the Cancel button.

      • More button - Modify the UI text for the More options button.

      Note -

      UserCheck messages asking justification for copying the files additionally include:

      • Check box - Modify the UI text for the check box.

      • Notes - Edit the text of notes.

      • Justification - Edit the text of the justification.

      • Warning - Edit the warning text.

  3. Click OK.

Advanced Encryption

  • Allow user to choose owner during encryption - Lets users manually define the device owner before encryption. This lets users create storage devices for other users. By default, the device owner is the user who is logged into the endpoint computer. The device owner must be an Active Directory user.

  • Allow user to change the size of encrypted media - Lets users change the percentage of a storage device that is encrypted, not to be lower than Minimum percentage of media capacity used for encrypted storage or Default percentage of media capacity used for encrypted storage. .

  • Allow users to remove encryption from media - Lets users decrypt storage devices.

  • When encrypting, unencrypted data will be - Select one of these actions for unencrypted data on a storage device upon encryption:

    • Copied to encrypted section - Unencrypted data is encrypted and moved to the encrypted storage device. We recommend that you back up unencrypted data before encryption to prevent data loss if encryption fails. For example, if there is insufficient space on the device.

    • Deleted - Unencrypted data is deleted.

    • Untouched - Unencrypted data is not encrypted or moved.

  • Secure format media before encryption - Run a secure format before encrypting the storage device. Select the number of format passes to do before the encryption starts.

  • Change device name and icon after encryption - When selected, after the device is encrypted, the name of the non-encrypted drive changes to Non Business Data and the icon changes to an open lock. When cleared, the name of the non-encrypted drive and the icon do not change after the device is encrypted.

  • When encrypting media, file system should be:

    • As already formatted -According to the original format.

    • ExFAT

    • FAT32

    • NTFS

    Allow user to change the file system of the encrypted storage - After storage was encrypted in a specific format, the user can change this format to another format.

Media Log

The Media Log setting defines when Media Encryption & Port Protection creates log entries when a storage device is attached to an endpoint computer. You can select one of these predefined log actions:

Action

Description

Do not log security events

Disable all log entries.

Log only critical events

Create log entries only for events that are classified as critical.

Log critical and security events

Create log entries only for events that are classified as critical or security events.

Log all events

Create log entries for all events.

You cannot define custom log actions.

This table shows the applicable Media Encryption & Port Protection events and their severity classification.

Event ID

Description

Classification

3

Policy update completed successfully

Low

7

Device authorization successful

Low

8

Device authorization failed

Critical

11

Device access is blocked when attached to the endpoint computer

Critical

15

Encrypted storage created successfully

Low

16

Encrypted storage device removed

Critical

20

Device is attached to an endpoint computer and access is allowed

Security

21

A user follows the Ask User procedure to override a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.

Critical

22

A users does not follow the Ask User procedure to override a rule

Critical

23

A storage device file operation is blocked

Critical

24

A storage device file operation is allowed

Security

You can define different log settings for Managing Devices.

Log entries are initially stored on client computers and then uploaded to the server at predefined intervals.

Site Configuration

Site Actions control when to allow or prevent access to encrypted devices that were encrypted by different Endpoint Security Management Servers. Each Endpoint Security Management ServerClosed A Security Management Server that manages your Endpoint Security environment. Includes the Endpoint Security policy management and databases. It communicates with endpoint clients to update their components, policies, and protection data. (known as a Site) has a Universally Unique Identifier (UUID). When you encrypt a storage device on an Endpoint Security client, the Endpoint Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. UUID is written to the device. The Site action can prevent access to devices encrypted on a different Endpoint Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or from another organization. The Site action is enabled by default.

When a user attaches a storage device, Media Encryption & Port Protection makes sure that the device matches the UUID the Endpoint Security Management Server UUID or another trusted Endpoint Security Management Server. If the UUIDs match, the user can enter a password to access the device. If the UUID does not match, access to the device is blocked.

Allow access to storage devices encrypted at any site - Endpoint Security clients can access encrypted devices that were encrypted at any site.

Allow access to storage devices encrypted at current site only - Media Encryption Site (UUID) verification is enabled. Endpoint Security clients can only access encrypted devices that were encrypted by the same Endpoint Security Management Server.

Lockout Settings

You can configure Media Encryption & Port Protection in the Lockout Settings to lock a device after a specified number of unsuccessful log in attempts.

To configure lockout settings:

  1. Select Lock storage device after failed authentication attempts.

  2. To lock the storage device temporarily:

    1. Select Temporarily lock device.

    2. In the Temporarily lock device after authentication failed field, enter the failed log in attempts after which the system should lock the device.

    Notes:

    • If a device is locked temporarily, users can try to authenticate again after the specified time.

    • A temporary lock only occurs when its value is less than the permanent lock.

  3. To lock the storage device permanently:

    1. Select Permanently lock device.

    2. In the Permanently lock device after authentication failed field, enter the failed log in attempts after which the system should permanently lock the device. This should be greater than the value specified in Temporarily lock device after authentication failed field.

      Note - If the device is locked permanently, users can request to unlock through Remote HelpClosed Users can be denied access to their Full Disk Encryption-protected computers or Media Encryption & Port Protection-protected devices for many different reasons. Remote Help can help users in these types of situations. The user contacts the Help Desk or specified administrator and follows the recovery procedure.. For more information, see Media Encryption Remote Help.

  4. In the Duration for temporary storage device lock field, enter the duration after the failed log in attempts the system should unlock the device.

Offline Access

Password protect media for access in offline mode - Lets users assign a password to access a storage device from a computer that is not connected to an Endpoint Security Management Server. Users can also access the storage device with this password from a non-protected computer

Allow user to recover their password using remote help - Lets user recover passwords using remote help.

Copy utility to media to enable media access in non-protected environments - Copies the Explorer utility to the storage device. This utility lets users access the device from computers that are not connected to an Endpoint Security Management Server.

Password Constraints

You can specify the password requirements for users to follow to log in to the device.

To configure the password constraints, select one of these:

  • Use Windows Complexity Requirements

  • Use Custom Requirements

    • Consecutive identical characters are not allowed

    • Require special characters

    • Require digits

    • Require lower case characters

    • Require upper case characters

    • Password must not contain user name or full name

    • In the Minimum length of password field, enter the number of characters required in the password. The minimum supported length is four characters.