Device Scanning and Authorization Actions

You can configure a Media Encryption & Port Protection rule to require malware and unauthorized file type scans when a storage device is attached. You also can require a user or an administrator to authorize the device. This protection makes sure that all storage devices are malware-free and approved for use on endpoints.

On E80.64 and higher clients, CDs and DVDs (optical media) can also be scanned.

Note - After a media device is authorized:

• If you make changes to the contents of the device in a trusted environment with Media Encryption & Port Protection, the device is not scanned again each time it is inserted.
• If you make changes to the contents of the device in an environment without Media Encryption & Port Protection installed, the device is scanned each time it is inserted into a computer with Media Encryption & Port Protection.

You can select one of these predefined options for a Media Encryption & Port Protection rule:

Action	Description
Require storage devices to be scanned and authorized. Allow self-authorization.	Scan the device when inserted. If this option is selected, users can scan the storage device manually or automatically. If this setting is cleared, users can only insert an authorized device.
Require storage devices to be scanned and authorized. Do not allow self-authorization.	Scan the device when inserted. Specified administrators must authorize the device after a successful scan.
Do not scan storage devices	Storage devices are not scanned when inserted and no authorization is necessary.
New	Create a custom action with different authorization and media scan requirements.

You can configure which file types can or cannot be on storage devices.

To configure which file types can be on storage devices:

1. In a Media Encryption & Port Protection rule, click a device scanning and authorization action and select Edit Properties.
2. Click the Configure unauthorized file types link.
3. In the Unauthorized File Types window, select a Mode:
   • Unauthorized - Configure the file types that are blocked. All other file types are allowed.
   • Authorized - Configure the file types that are allowed. All other file types are blocked.

   The default is unauthorized with all file types allowed.

4. Click Add to add file types to the list.
5. Select file types from the Available Objects list and click Add to move them to the Selected Objects list.

   If you selected Unauthorized mode, select the file types that are not blocked from storage devices.

   If you selected Authorized mode, select the file types that are allowed on storage devices.

6. Optional:
   • Click New to create a new file type.
   • Click Remove to remove a group from the list.
7. Click OK.
8. Click OK.

To enable or disable scans for optical media (CDs and DVDs):

1. In a Media Encryption & Port Protection rule, click a device scanning and authorization action and select Edit Properties.
2. In the Device Overrides area:
   • To disable scans, select Exclude optical media from scan.
   • To enable scans, clear Exclude optical media from scan.
3. Click OK.

Custom Scan and Authorization Actions

You can create custom actions that have different requirements for authorization and the media scan. You can let users connect storage devices without a scan or delete unauthorized file types from the storage device.

To define custom actions:

1. Double-click an action in a rule and select the New action.
2. In the Edit Properties window, configure these parameters as necessary:

   Parameter	Description
   Name	Unique action name.
   Comments	Optional textual comments.
   Scan storage devices and authorize them for access	Select to scan the device when inserted. Clear to skip the scan.
   Enable self-authorization	If this option is selected, users can scan the storage device manually or automatically. If this setting is cleared, users can only insert an authorized device.
   Automatic media authorization	The device is authorized automatically.
   Allow user to delete unauthorized files.	The user can delete unauthorized files detected by the scan. This lets the user or administrator authorize the device after the unauthorized files are deleted.
   Manual media authorization	Users or administrator must manually authorize the device.
   Allow user to skip media scan	The user can optionally skip the scan when a device is connected to a client.