Policies enable administrators to enforce a minimum set of protections and Data Defense settings across a population of endpoints. Policies are associated to all members of a Group. The Default is automatically associated to endpoints that are not a member of any group. If an endpoint is a member of more than one group, the endpoint is associated to the policy highest on the list.

 

 

File Protection Levels:

Data Defense will not allow a user to change the protection below the policy level but they can change it to a higher level of protection. For example, if the policy setting is set to Dynamic and user can increase the protection to Always On, but not to None.

Set to Recommended will set file type protections for the most commonly used file types.

You can choose a section or all from the dropdown list and click None, Dynamic or Always On to change them all once to that value.


Microsoft Office Files:

Select the minimum protection level for each Microsoft Office file type.

 

Adobe Files:

    Select the minimum protection level for each Adobe file type. 


Custom File Types:

Custom file types allows protection to be added to file types not covered by the pre-defined Microsoft or Adobe File Types. Administrators should take precautions and test the effects of protecting file types to prevent any undesired side-effects.

Import allows the importation of a CSV containing definitions for custom file type protection as an easier means of defining large quantities of file types.




Ransomware File Types:

Devices having Cigent Secure SSD+ drives with ransomware detection can set a dedicated set of file types to be protected on both the OS ( typically C: ) drive as well as any Secure Drives. The Default list matches the default build in the Data Defense when not activated to a subscription. The policy gives administrators the ability to tailor the list to the businesses needs by deselecting defaults and adding customer types.


Folders:

Folders can be used to add Dynamic and Always On protection to all devices associated to the policy. If the folder is not present on the device, Data Defense will create it. Optionally, administrator can choose that files within the folder be encrypted using the Subscription key. Note that the Subscription key must be enabled in the console settings and the user must log in to Data Defense before the files can be encrypted ( this is when the key is downloaded. ) If the user does not log in, the file will be protected as specified, but files will remain unencrypted.


To support variability in Windows deployments, administrators can leverage several environment variables which will be resolved by Data Defense automatically. For example, $HOME will be expanded to C:\Users\<username>. Therefore, a policy of $HOME\Documents will cover each users Document folder on the endpoint.


Import allows the importation of a CSV containing definitions for many folders.



Data Deception:

Data deception is a means of catching remote or insider attacks by creating interesting looking files that when accessed, trigger an Activelock on the endpoint to product data. 

Administrators can create realistic looking files on devices that best match their environment. Environment variables are available to support variability in Windows deployments. It is important to choose a unique deception file name and location so as to prevent creation issues.


Safe Apps:

Safe applications are allowed to access protected files without authorization. Common usage of Safe apps include backup programs and cloud file storage applications.

Applications are securely identified by matching of the applications certificate and optionally name or folder location. Application certificates can be exported from the Security tab of the file properties and must be Base-64 encoded X.509.  The path should only include the folder name starting below C:\Program Files. For example, when adding Backblaze located in C:\Program Files\Backblaze, enter only Backblaze.

If you enter just the folder, all programs under the folder having the same certificate will be authorized. If you want to narrow the list to just a single program, just enter the program name ( ie backblaze.exe )

Enabled toggle allows temporarily disabling the safe app while keeping the definition.

 

Settings:

The setting page contains important options related to protection control and communications. Take care when updating these settings from their default as they can impact network and CPU consumption on the endpoints.


Allow ‘Always On’ file type protection:

When disabled neither the policy nor associated endpoints is allowed the usage of Always On file types. It is important that administrators be aware of the potential impacts of enabling Always On file type protection and therefore must explicitly enable this feature.


Sync Interval:

    How often a device will contact the console to synchronize policy settings.


Sync Interval metered:

How often a device will contact the console to synchronize policy settings when connected to a metered connection.


License Interval:

    How often an endpoint will validate its license status.



Max pre-approved file access count 

    The maximum number of files a user can choose to pre-approve without requiring another authentication .


Max pre-approved file duration :

   The maximum duration for pre-approved file access over which the pre-approved file count can last. If the duration expires before the count, the user will be authenticated on the next file access 


Ransomware Sensitivity:

    The minitmum sensitivity to which a user can set the ransomware sensitivity. Users can increase the sensitivity but cannot make it lower that this threshold. Performing a Force Policy Reset from the endpoints page will force the sensitivity to match this value.


Ransomware Detection:

    Controls the state and response actions of the SSD+ ransomware detection. 

Disabled Turns off ransomware detection in the SSD.

Report Only - Enable the ransomware detection, but only reports the trigger event. File are not automatically protected and drives are not locked. Use this mode to collect trigger events for a device to properly set the sensitivity.

Report and LockEnable the ransomware sensor and lock files and secure drives when triggered.


Import Policy:

Import the protection settings of a preconfigured endpoint to use a starting point for a new policy.