Setting up triggering criteria

When configuring a rule, the administrator specifies a recording start condition that is composed of triggering criteria united by logical operators. Each of these criteria corresponds to a certain system state or event in which it is met and therefore evaluates to true (for details, see System state criteria vs. event criteria). The condition value is calculated of the current values of its criteria, and recording can start only if the condition evaluates to true.

The system state criteria from the recording start condition are also used to determine when to stop recording. For details, see Ways to stop recording.

A rule can specify one or more triggering criteria that enable recording to be started in different situations, such as when connecting devices, starting applications, or triggering DeviceLock policies. The rule’s criteria are listed in the dialog box where the administrator can add, edit, or remove triggering criteria from a rule (see Dialog box for configuring a rule).

The dialog box for setting up triggering criteria is used in the following cases:

•When adding criteria to the rule, the desired criterion can be selected from a drop-down list. Then, depending upon which criterion is selected, the dialog box provides a field to set a configurable value for the selected criterion.

•When editing criteria specified in the rule, the dialog box displays the selected criterion and its current setting value, if any. One can view/change the setting value, or choose a different criterion to replace the current one.

The following list briefly describes the triggering criteria and their settings.

•User logged in - The monitored user logged on to the computer or logged on remotely using Terminal Services or Remote Desktop, and was successfully authenticated.

Note: This criterion is included in each condition by default and cannot be removed, therefore it is not in the list for selecting criteria.

•Process “<name>” exists - The computer is executing the specified process started by the monitored user.

Setting to configure: The path and name of the process executable file (for example, c:\mypath\process.exe). The setting allows the use of wildcards: an asterisk (*) for an arbitrary series of characters, a question mark (?) for any single character.

Tip: If it is necessary for this criterion to work regardless of the path to the process executable, specify the file name as follows: *\<file name>. Example: *\excel.exe

•Window “<title>” exists - The system has a window with the specified title, opened by the monitored user.

Setting to configure: Window title. The setting allows the use of wildcards: an asterisk (*) for an arbitrary series of characters, a question mark (?) for any single character.

•Window “<title>” is focused - A window with the specified title, which was opened by the monitored user, is active and can receive keyboard and mouse input.

Setting to configure: Window title. The setting allows the use of wildcards: an asterisk (*) for an arbitrary series of characters, a question mark (?) for any single character.

•Content-Aware rule “<name>” is triggered - The monitored user tried to send or receive data that matches the Content-Aware rule with the specified name.

Setting to configure: Rule name. The setting allows the use of wildcards: an asterisk (*) for an arbitrary series of characters, a question mark (?) for any single character.

Note: This criterion applies only to content-aware rules for access control or detection. It disregards the rules for content-aware shadowing.

•Protocol White List rule “<name>” is triggered - The monitored user tried to use a white-listed protocol that matches the white list rule with the specified name.

Setting to configure: Rule name. The setting allows the use of wildcards: an asterisk (*) for an arbitrary series of characters, a question mark (?) for any single character.

•Media White List rule “<description>” is triggered - The monitored user tried to access white-listed media with the specified description.

Setting to configure: Media description. The setting allows the use of wildcards: an asterisk (*) for an arbitrary series of characters, a question mark (?) for any single character.

•USB White List rule “<description>” is triggered - The monitored user tried to access a white-listed USB device with the specified description.

Setting to configure: Device description. The setting allows the use of wildcards: an asterisk (*) for an arbitrary series of characters, a question mark (?) for any single character.

•Storage device is attached - The monitored user attached any of these device types to the computer: Removable, MTP, iPhone, Floppy, Optical Drive, TS Devices (mapped drive).

•Non-storage device is attached - The monitored user attached any device type to the computer, except Removable, MTP, iPhone, Floppy, Optical Drive, TS Devices (mapped drive).

Important: This criterion does not trigger the recording of user activity upon attaching USB HID devices (keyboard, mouse, etc.).

•Computer is idle for <number> seconds - The computer is not screen-locked, and there is no activity of the monitored user on this computer for the specified time.

Setting to configure: The time period of user inactivity (number of seconds) after which this criterion deems to be met. The setting value must be 3 or more seconds.

Note: The option Pause while inactive has no effect on the rules with this criterion in the recording start condition. Rules with such a condition do not suspend recording after the time specified by that option expires.

•Read access to “<name/s>” is denied - DeviceLock has blocked an attempt of the monitored user to receive data due to a deny on access to one of the specified devices / protocols, or according to one of the specified security settings.

Setting to configure: List of device, protocol and/or security setting names. The desired names can be selected from a drop-down list.

•Write access to “<name/s>” is denied - DeviceLock has blocked an attempt of the monitored user to send data due to a deny on access to one of the specified devices / protocols.

Setting to configure: List of device and/or protocol names. The desired names can be selected from a drop-down list.

The value of the Storage device is attached criterion is true as long as one or more devices of any of the following types is attached to the computer:

•TS Devices (mapped drive) - A hard/removable/optical disk is connected in the remote desktop/application session on a virtualization server (Remote Desktop Server, Citrix XenDesktop/XenApp, etc.).

The Storage device is attached criterion evaluates to false if none of the above device types is attached to the computer.

In the case of access to devices, Read access to “<name/s>” is denied criteria evaluate to true when attempting any of the following:

•Actions denied by “generic” access rights such as Read, Mapped Drives Read, Serial Port Access, USB Devices Access, Clipboard Incoming Text / Image / Audio / File / Unidentified Content (see “Generic” Rights Category).

•Actions denied by the “encrypted” access right Read (see “Encrypted” Rights Category).

•Actions denied by “special permissions” such as Read Calendar / Contact / E-mail / Attachment / Favorite / File / Media / Backup / Note / Pocket Access / Task / Expense / Document / Unidentified Content (see “Special Permissions” Rights Category).

In the case of access to protocols, Read access to “<name/s>” is denied criteria evaluate to true when attempting any of the following:

•Actions denied by protocol access rights such as Send/Receive Data, Web Send/Receive Data, Search, Incoming Files, Incoming Calls (see Access Rights for protocols).

•Actions denied by protocol security settings, provided that appropriate item/s are selected in the criteria setting:

•Block IP addresses in URL - Select IP (TCP) and/or IP (UDP) in the criteria setting, depending upon which transport protocol/s (TCP / UPD) this criterion should respond to.

•Block proxy traffic - Select Proxy (HTTP), Proxy (SOCKS4), and/or Proxy (SOCKS5) in the criteria setting, depending upon which proxy server type/s (HTTP / SOCKS4 / SOCKS5) this criterion should respond to.

In the case of access to devices, Write access to “<name/s>” is denied criteria evaluate to true when attempting any of the following:

•Actions denied by “generic” access rights such as Write, Format, Print, Copy to clipboard, Mapped Drives Write, Clipboard Outgoing Text / Image / Audio / File / Unidentified Content (see “Generic” Rights Category).

•Actions denied by “encrypted” access rights such as Write, Format (see “Encrypted” Rights Category).

•Actions denied by “special permissions” such as Write Calendar / Contact / E-mail / Attachment / Favorite / File / Media / Backup / Note / Pocket Access / Task / Expense / Document / Unidentified Content, Copy Text / Image / Audio / File / Unidentified Content, Screenshot (see “Special Permissions” Rights Category).

The Write access to “<name/s>” is denied criteria have no effect when denying access to the following device types: Blackberry, Bluetooth, Infrared port, Serial port, Parallel port, TS Devices in case of denying Serial Port Access or USB Devices Access, and WiFi. You can use the Read access to “<name/s>” is denied criteria to start recording upon denying access to these devices.

In the case of access to protocols, the Write access to “<name/s>” is denied criteria evaluate to true when attempting any of the actions denied by protocol access rights such as Outgoing Messages, Outgoing Files, POST Requests, Outgoing Calls (see Access Rights for protocols).