Advanced Settings for Media Encryption

Authorization Settings

You can configure a Media Encryption & Port ProtectionClosed A component on Endpoint Security Windows clients. This component protects data stored on the computers by encrypting removable media devices and allowing tight control over computers' ports (USB, Bluetooth, and so on). Acronym. MEPP. ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. to require scans for malware and unauthorized file types when a storage device is attached. You also can require a user or an administrator to authorize the device. This protection makes sure that all storage devices are malware-free and approved for use on endpoints.

On E80.64 and higher clients, CDs and DVDs (optical media) can also be scanned.

After a media device is authorized:

  • If you make changes to the contents of the device in a trusted environment with Media Encryption & Port Protection, the device is not scanned again each time it is inserted.

  • If you make changes to the contents of the device in an environment without Media Encryption & Port Protection installed, the device is scanned each time it is inserted into a computer with Media Encryption & Port Protection.

You can select one of these predefined options for a Media Encryption & Port Protection rule:

Require storage devices to be scanned and authorized -

  • Scan storage devices and authorize them for access - Select to scan the device when inserted. Clear to skip the scan.

    • Enable self-authorization - If this option is selected, users can scan the storage device manually or automatically. If this setting is cleared, users can only insert an authorized device.

      • Manual media authorization - The user or administrator must manually authorize the device.

        Allow user to delete unauthorized files - The user can delete unauthorized files detected by the scan. This lets the user or administrator authorize the device after the unauthorized files are deleted.

      • Automatic media authorization -The device is authorized automatically.

        Allow user to delete unauthorized files - The user can delete unauthorized files detected by the scan. This lets the user or administrator authorize the device after the unauthorized files are deleted.

  • Exclude optical media from scan - Exclude CDs and DVDs from the scan.

In Advanced Settings > Authorization Scanning, you can configure authorized and non-authorized file types.

Unauthorized - Configure the file types that are blocked. All other file types will be allowed.

Authorized - Configure file types that are allowed. All other file types will be blocked.

UserCheck Messages

UserCheck for Media Encryption & Port Protection tells users about policy violations and shows them how to prevent unintentional data leakage. When a user tries to do an action that is not allowed by the policy, a message shows that explains the policy.

For example, you can optionally let users write to a storage device even though the policy does not allow them to do so. In this case, users are prompted to give justification for the policy exception. This justification is sent to the security administrator, who can monitor the activity.

Advanced Encryption

  • Allow user to choose owner during encryption - Lets users manually define the device owner before encryption. This lets users create storage devices for other users. By default, the device owner is the user who is logged into the endpoint computer. The device owner must be an Active Directory user.

  • Allow user to change the size of encrypted media - Lets users change the percentage of a storage device that is encrypted, not to be lower than Minimum percentage of media capacity used for encrypted storage or Default percentage of media capacity used for encrypted storage. .

  • Allow users to remove encryption from media - Lets users decrypt storage devices.

  • When encrypting, unencrypted data will be - Select one of these actions for unencrypted data on a storage device upon encryption:

    • Copied to encrypted section - Unencrypted data is encrypted and moved to the encrypted storage device. We recommend that you back up unencrypted data before encryption to prevent data loss if encryption fails. For example, if there is insufficient space on the device.

    • Deleted - Unencrypted data is deleted.

    • Untouched - Unencrypted data is not encrypted or moved.

  • Secure format media before encryption - Run a secure format before encrypting the storage device. Select the number of format passes to do before the encryption starts.

  • Change device name and icon after encryption - When selected, after the device is encrypted, the name of the non-encrypted drive changes to Non Business Data and the icon changes to an open lock. When cleared, the name of the non-encrypted drive and the icon do not change after the device is encrypted.

  • When encrypting media, file system should be:

    • As already formatted -According to the original format.

    • ExFAT

    • FAT32

    • NTFS

    Allow user to change the file system of the encrypted storage - After storage was encrypted in a specific format, the user can change this format to another format.

Site Configuration

Site Actions control when to allow or prevent access to encrypted devices that were encrypted by different Endpoint Security Management Servers. Each Endpoint Security Management ServerClosed A Security Management Server that manages your Endpoint Security environment. Includes the Endpoint Security policy management and databases. It communicates with endpoint clients to update their components, policies, and protection data. (known as a Site) has a Universally Unique Identifier (UUID). When you encrypt a storage device on an Endpoint Security client, the Endpoint Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. UUID is written to the device. The Site action can prevent access to devices encrypted on a different Endpoint Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or from another organization. The Site action is enabled by default.

When a user attaches a storage device, Media Encryption & Port Protection makes sure that the device matches the UUID the Endpoint Security Management Server UUID or another trusted Endpoint Security Management Server. If the UUIDs match, the user can enter a password to access the device. If the UUID does not match, access to the device is blocked.

Allow access to storage devices encrypted at any site - Endpoint Security clients can access encrypted devices that were encrypted at any site.

Allow access to storage devices encrypted at current site only - Media Encryption Site (UUID) verification is enabled. Endpoint Security clients can only access encrypted devices that were encrypted by the same Endpoint Security Management Server.

Media Lockout

You can configure Media Encryption & Port Protection to lock a device after a specified number of unsuccessful login attempts:

  • Temporarily - If a device is locked temporarily, users can try to authenticate again after a specified time. You can configure the number of failed login attempts before a temporary lockout and the duration of lockout.

  • Permanently - If a device is locked permanently, it stays locked until an administrator unlocks it. You can configure the number of failed login attempts before a permanent lockout

Offline Access

Password protect media for access in offline mode - Lets users assign a password to access a storage device from a computer that is not connected to an Endpoint Security Management Server. Users can also access the storage device with this password from a non-protected computer

Allow user to recover their password using remote help - Lets user recover passwords using remote help.

Copy utility to media to enable media access in non-protected environments - Copies the Explorer utility to the storage device. This utility lets users access the device from computers that are not connected to an Endpoint Security Management Server.