0% found this document useful (0 votes)

44 views180 pages

Epp 4

Uploaded by

Anish Sebastian

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

44 views180 pages

Epp 4

Uploaded by

Anish Sebastian

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 180

User Manual for Version 5.0.0.

User Manual
I | Endpoint Protector | User Manual

Table of Contents

1. Introduction ........................................... 1
1.1. Main components .............................................................. 2

2. Server Functionality ................................ 3

2.1. Endpoint Protector Configuration Wizard .............................. 4
2.2. General Dashboard ........................................................... 4
2.3. System Status .................................................................. 5
2.4. Live Update ...................................................................... 6
2.5. Effective Rights ................................................................. 7

3. Device Control ........................................ 9

3.1. Dashboard ....................................................................... 9
3.2. Devices.......................................................................... 10
3.2.1. Device Rights ............................................................... 11
3.2.2. Device History .............................................................. 12
3.3. Computers ..................................................................... 12
3.3.1. Computer Rights ........................................................... 13
3.3.2. Computer Settings ........................................................ 14
3.3.3. Computer History .......................................................... 15
3.3.4. Terminal Servers and Thin Clients ................................... 16
3.4. Users ............................................................................ 18
3.4.1. User Rights .................................................................. 19
3.4.2. User History ................................................................. 20
3.5. Groups .......................................................................... 21
3.5.1. Group Rights ................................................................ 22
3.5.2. Group Settings ............................................................. 22
3.6. Global ........................................................................... 23
3.6.1. Global Rights ................................................................ 23
3.6.2. Global Settings ............................................................. 27
3.7. Custom Client Notifications .............................................. 30
3.8. File Whitelists ................................................................. 31
3.9. Custom Classes .............................................................. 32

4. Content Aware Protection ....................... 36

II | Endpoint Protector | User Manual

4.1. Content Aware Protection Activation .................................. 37

4.2. Dashboard ..................................................................... 37
4.3. Content Aware Policies .................................................... 38
4.3.1. Creating a Content Aware Protection Policy ...................... 39
4.3.2. Predefined policies ........................................................ 45
4.3.3. Applying multiple Content Aware Policies ......................... 45
4.3.4. HIPAA compliance ......................................................... 47

5. eDiscovery ........................................... 50
5.1. eDiscovery Activation ...................................................... 50
5.2. eDiscovery Policies and Scans .......................................... 51
5.2.1. Creating an eDiscovery Policy and Scan ........................... 52
5.3. eDiscovery Scan Result and Actions .................................. 54
5.3.1. Viewing Scan Results and taking Actions .......................... 55

6. DLP Blacklists and Whitelists ................... 57

6.1. File Type Blacklists .......................................................... 57
6.2. Predefined Content Blacklists ............................................ 58
6.3. Custom Content Blacklists ................................................ 60
6.4. File Name Blacklists ........................................................ 61
6.5. File Location Blacklists ..................................................... 63
6.6. Regex Blacklists .............................................................. 64
6.7. MIME Type Whitelists ...................................................... 65
6.8. Allowed Files Whitelists .................................................... 67
6.9. File Location Whitelists .................................................... 68
6.10. Network Share Whitelists ................................................. 69
6.11. E-mail Domain Whitelists ................................................. 70
6.12. URL Name Whitelists ....................................................... 72

7. Enforced Encryption .............................. 74

7.1. EasyLock ....................................................................... 74
7.1.1. EasyLock Deployment .................................................... 75
7.1.2. EasyLock Settings ......................................................... 76
7.1.3. EasyLock Clients ........................................................... 77
III | Endpoint Protector | User Manual

8. Mobile Device Management .................... 78

9. Offline Temporary Password ................... 79
9.1. Generating the Offline Temporary Password ....................... 80
9.2. Using the Offline Temporary Password ............................... 81

10. Reports and Analysis .......................... 82

10.1. Logs Report.................................................................... 83
10.2. File Tracing .................................................................... 84
10.3. File Shadowing ............................................................... 85
10.4. Content Aware Report ..................................................... 86
10.5. Content Aware File Shadowing .......................................... 87
10.6. Admin Actions ................................................................ 88
10.7. Online Computers ........................................................... 89
10.8. Online Users ................................................................... 89
10.9. Online Devices ................................................................ 90
10.10. Statistics ................................................................... 91

11. Alerts .............................................. 92

11.1. System Alerts ................................................................. 94
11.1.1. System Alerts History .................................................... 95
11.2. Device Control Alerts ....................................................... 96
11.2.1. Device Control Alerts History .......................................... 97
11.3. Content Aware Alerts ....................................................... 98
11.3.1. Content Aware Alerts History .......................................... 99
11.4. Mobile Device Alerts ...................................................... 100
11.4.1. Mobile Device History ................................................... 100

12. Directory Services ........................... 102

12.1. Active Directory Import ................................................. 102
12.2. Active Directory Sync .................................................... 105

13. Appliance ....................................... 109

13.1. Server Information ........................................................ 109
13.2. Server Maintenance ...................................................... 110
IV | Endpoint Protector | User Manual

13.2.1. Time Zone Settings ...................................................... 110

13.2.2. Network Settings ......................................................... 111
13.2.3. Reset Appliance to Factory Default ................................. 111
13.2.4. SSH Server ................................................................. 111
13.3. SIEM Integration ........................................................... 111

14. System Maintenance ........................ 114

14.1. File Maintenance ........................................................... 114
14.2. System Snapshots ........................................................ 115
14.3. Log Backup .................................................................. 117
14.3.1. Backup Scheduler (Automatic Log Backup) ...................... 118
14.4. Content Aware Log Backup............................................. 119
14.4.1. Automatic Scheduler (Automatic CAP Log Backup) ........... 120
14.5. Audit Log Backup .......................................................... 121
14.5.1. Audit Log Backup Scheduler .......................................... 122
14.6. External Storage ........................................................... 123
14.6.1. FTP Server .................................................................. 123
14.6.2. Samba / Network Share ................................................ 124
14.6.3. From the Web Interface ................................................ 125
14.6.4. From the Console ......................................................... 128

15. System Configuration ....................... 130

15.1. Client Software ............................................................. 130
15.2. Client Software Upgrade ................................................ 131
15.3. Client Uninstall ............................................................. 132
15.4. System Administrators .................................................. 133
15.5. System Departments ..................................................... 134
15.6. System Security / Client Uninstall Protection .................... 137
15.7. System Security ........................................................... 137
15.8. System Settings ........................................................... 138
15.8.1. Rights Functionality ...................................................... 138
15.8.2. Rights Functionality ...................................................... 138
15.8.3. Active Directory Authentication ...................................... 138
15.8.4. Proxy Settings ............................................................. 139
15.9. System Licensing .......................................................... 140
V | Endpoint Protector | User Manual

15.9.1. Appetizer Mode ............................................................ 142

15.9.2. Trial Mode ................................................................... 143
15.9.3. Import Licenses ........................................................... 143

16. System Parameters ......................... 145

16.1. Device Types ................................................................ 145
16.2. Rights.......................................................................... 147
16.2.1. Trusted Devices ........................................................... 147
16.3. Events ......................................................................... 149
16.4. File Types .................................................................... 150

17. Setting up Policies ........................... 151

18. Modes for Users, Computers and Groups153
18.1. Transparent Mode ......................................................... 154
18.2. Stealth Mode ................................................................ 154
18.3. Panic Mode................................................................... 154
18.4. Hidden Icon Mode ......................................................... 155
18.5. Silent Mode .................................................................. 155
18.6. Adding System Administrator(s) ..................................... 155
18.7. Working with Logs and Reports ....................................... 157

19. Endpoint Protector Client .................. 158

19.1. Endpoint Protector Client Installation ............................... 158
19.2. Endpoint Protector Client Security ................................... 159
19.3. Client Notifications (Notifier) .......................................... 160
19.4. Client Policy Update ...................................................... 160
19.5. Offline Functionality for Endpoint Protector Client .............. 161
19.6. DHCP / Manual IP address .............................................. 161
19.7. Client Removal ............................................................. 161
19.7.1. Client Removal on Windows OS ..................................... 161
19.7.2. Client removal on MAC OS X .......................................... 161
19.7.3. Client removal on Linux OS ........................................... 161

20. Installing Browser Root Certificates .... 162

20.1. For Microsoft Internet Explorer ....................................... 162
VI | Endpoint Protector | User Manual

20.2. For Mozilla Firefox ......................................................... 167

21. Terms and Definitions ...................... 169

21.1. Server Related.............................................................. 169
21.2. Client Related ............................................................... 170

22. Support ......................................... 172

23. Disclaimer ...................................... 173
1 | Endpoint Protector | User Manual

1. Introduction

Portable storage devices such as USB flash drives, external HDDs, digital
cameras, MP3 players and iPods are virtually everywhere and are connected to a
Windows, Mac or Linux computer within seconds. With virtually every computer
having access to internet, online applications and collaboration tools, data theft
or accidental data loss becomes a mere child’s play.

Data loss and data theft through a simple internet connection or USB device is
easy and does not take more than a few seconds. Network Administrators had
little chance to prevent this from happening or to identify the responsible users.
This was the hard reality until now.

Endpoint Protector, through its Device Control, Content Aware Protection,

eDiscovery and Enforced Encryption modules, helps companies stop these
threats. It not only controls all device activity at the endpoints, but monitors and
scans all possible exit points for sensitive content detection. It ensures critical
business data does not leaves the internal network either by being copied on
devices or sent via the Internet without authorization, reporting all sensitive data
incidents. Moreover, data at rest residing on endpoints can be inspected for
sensitive content and remediation actions can be taken. Additionally, enforcing
encryption on the USB removable devices is also possible. Everything from a
single web-based interface.

Information
Endpoint Protector is a complete Data Loss Prevention and Enterprise
Mobility Management solution. While the DLP related features and
functionality will be explained below, please reference the MDM User
Manual for information related to smartphones and tablets. Additional
information regarding deployment of the Endpoint Protector Server can be
found in the Virtual and Hardware Appliance User Manual.
.
2 | Endpoint Protector | User Manual

1.1. Main components

Endpoint Protector is designed around several physical entities:

 Computers
Windows, Mac and Linux workstations that have the Endpoint Protector
Client installed.

 Devices
The devices which are currently supported by Endpoint Protector.
e.g.: USB devices, digital photo cameras, USB memory cards, etc.

 Users
The user who will be handling the devices and the computers.

The Server side of Endpoint Protector has different parts, working close together:

 Endpoint Protector Hardware or Virtual Appliance – containing Operating

System, Database, etc.

 Web Service – communicating with the Endpoint Protector Clients and

storing the information received from them

 Endpoint Protector User Interface – managing the existing devices,

computers, users, groups and their behavior in the entire system
3 | Endpoint Protector | User Manual

2. Server Functionality

After the Endpoint Protector Hardware or Virtual Appliance setup, the User
Interface can be accessed by simply entering the assigned IP address. The
default Endpoint Protector Appliance IP address is https://192.168.0.201.

Information
The default login credentials for Endpoint Protector are:
Username: root
Password: epp2011

To change these settings or to create additional administrators, please see

chapter 15.4 System Administrators.
4 | Endpoint Protector | User Manual

Note
When entering the IP address, the HTTPS (Hypertext Transfer Protocol
Secure) prefix must be used.

Tips
We recommend making the browser trust the self-signing certificate. To do
this, please see chapter 20 Installing Browser Root Certificates.

2.1. Endpoint Protector Configuration Wizard

The Configuration Wizard offers the Administrator some simple steps to define
some basic settings. These include setting up the Server Time Zone, importing
Licenses, Server Update or uploading Offline Patches, Global device rights, E-mail
Server settings, Main Administrator details, etc. The settings can later be
changed at any time.

Information
The Configuration Wizard only appears if the basic settings for Endpoint
Protector have never been configured.

2.2. General Dashboard

This section offers a quick overview in the form of graphics and charts related to
the most important activities logged by Endpoint Protector. General system
information about licenses or latest news can also be found here. Additional
5 | Endpoint Protector | User Manual

information related to Device Control, Content Aware Protection and Mobile

Device Management also displayed.

Information
More specific Dashboards are available at Device Control, Content Aware
Protection and Mobile Device Management.

2.3. System Status

This section offers a quick overview on the system’s functionality, alerts and
backup status. There are several main functionalities that can be turned ON or
OFF with just a click of a button.
6 | Endpoint Protector | User Manual

From the System Functionality subsection, Endpoint Protector can be turned ON

or OFF, as well as just specific modules (Device Control, Content Aware
Protection or eDiscovery).

From the System Status subsection, the HDD Disk Space and Log Rotation can
be turned ON or OFF.

From the System Alerts subsection, important alerts notifying the expiration of
the APNS Certificate, Updates and Support or Passwords can be turned ON or
OFF.

From the System Backup subsection, the System Backup can be turned ON or
OFF.

2.4. Live Update

This section allows checking and applying the latest Endpoint Protector Server
updates.

Note
Please note that this feature communicates through port 80.

The Configure Live Update allows selecting one of the two options for performing
the live update check: manually or automatically and enabling or disabling the
Automatic Reporting to the Live Update Server.
7 | Endpoint Protector | User Manual

By pressing the Check Now button, a search for the Endpoint Protector Server
updates will begin.

In case new updates are found, they are displayed under the Available Updates
section and can be directly installed by pressing on the Apply Updates button.
The latest installed updates can be checked by pressing on the View Applied
Updates button.

The Offline Patch Uploader offers the possibility to upload updates in situations
where an internet connection is not available.

Note
Contact support@endpointprotector.com to request the Offline Patch.

2.5. Effective Rights

This section displays the Device Control or Content Aware Protection policies
applied at that time. Depending on the options selected from the drop-down
menus, information can be displayed based on rights, users, computers, device
types, specific devices and more.
8 | Endpoint Protector | User Manual
9 | Endpoint Protector | User Manual

3. Device Control

From this section, the Administrator can manage all entities in the system, their
subsequential rights and settings. The subsections are Dashboard, Devices,
Computers, Users, Groups, Global (Rights and Settings), Custom Client
Notifications, File Whitelists and Custom Classes.

While it includes some additional settings, this section can be considered the
Device Control module. As the first layer of security within Endpoint Protector, it
is activated by default in every configuration provided.

3.1. Dashboard
This section offers a quick overview in the form of graphics and charts related to
the Endpoint Protector Entities. Additional information like the latest File Traces
and File Shadows, latest Device Control Alerts, last connected Computers and
most active Users are also displayed.
10 | Endpoint Protector | User Manual

3.2. Devices
From this section, the Administrator can manage all devices in the system. Any
new device connected to a protected computer is automatically added to the
database, thus making it manageable.

A device is identified by the device parameters (Vendor ID, Product ID, and
Serial Number) but information like Name and Description of the device is also
used. A device is assigned by default to the first user that handles the device.
This, however, can later be changed.

The Administrator can manually create a new device at any time by providing the
device parameters and information mentioned above. Devices can also be
imported into Endpoint Protector from Active Directory.

Information
For more details about Active Directory, please see chapter 12.1 Active
Directory Import.

The Actions column offers multiple option related to device management like
Edit, Manage Rights, Device History and Delete.

The Status column indicates the current rights of the devices.

Red means that the device is blocked in the system.

Green means that the device is allowed on computers or users.

11 | Endpoint Protector | User Manual

Yellow means that device is allowed on some users or computers with

restrictions.

If not otherwise configured, the device rights are inherited from the default
Global rights that are set per Device Types (USB Storage Device, Digital Camera,
iPod, Thunderbolt, Chip Card Device, etc.).

Information
For more details about Device Type, please see paragraph 3.6.1.1
Device Types.

Note
If device rights will be configured granularly for all entities, the priority
order, starting with the highest, will be:
Devices > Computers | Users > Groups > Global.

Example
If global rights indicate that no computer on the system has access to a
specific device, and for one computer that device has been authorized,
then that computer will have access to that device.

3.2.1. Device Rights

The Device Rights can be accessed by going in the Actions column for the specific
device and selecting Manage Rights. This section is built around the devices,
allowing the Administrator to enable or disable them for specific computers,
groups or users.
12 | Endpoint Protector | User Manual

After selecting a device, assigning the specified rights to the desired users,
computers or groups is straight forward.

3.2.2. Device History

Similar to Computer and User history, all devices that were at least once
connected to the server can be found here. Logs can be exported to a .csv file by
pressing the “Export” button, while “View Device Log” will show the Logs Report
page filtered for the respective device.

3.3. Computers
From this section, the Administrator can manage all computers in the system.
Any new computer that has the Endpoint Protector Client deployed will be
automatically added to the database, thus making it manageable.
13 | Endpoint Protector | User Manual

The Endpoint Protector Client has a self-registration mechanism. This process is

run once after the Client software is installed on a client computer. The Client will
then communicate to the Server its existence in the system. The Server will
store the information regarding the Computer in the database and it will assign a
License.

Note
The self-registration mechanism acts whenever a change in the Computer
licensing module is made, and also each time the application Client is
reinstalled. The owner of the computer is not saved in the process of self-
registration.

Information
For more details about Licensing, please see chapter 15.9 System Licensing

A Computer is identified by the computer parameters (Main IP, IP List, MAC,

Domain or Workgroup) but information like Name and Description is also
essential. A computer is assigned by default to the first user that handles the
computer. This, however, can later be changed and is updated automatically
based on whoever logs into the computer.

The Administrator can manually create a new computer at any time by providing
the computer parameters and information mentioned above. Computers can also
be imported into Endpoint Protector from Active Directory.

Information
For more details about Active Directory, please see chapter 12.1 Active
Directory Import.

Tips
For a better organization, a computers can be assigned to:
- Groups (e.g. several computers within the same office)
For more details about Groups, please see chapter 3.5 Groups.
- Department (an alternative organization to Groups).
For more details about Departments, please see chapter 15.5 System
Departments.

3.3.1. Computer Rights

The Computer Rights can be accessed by going in the Actions column for the
specific computer and selecting Manage Rights. This section is built around the
14 | Endpoint Protector | User Manual

computers, allowing the Administrator to specify which Device Types and also
which Specific Devices can be accessible.

Information
For more details about Device Types and Specific Devices, please see
chapter 3.6.1 Global Rights.

The Restore Global Rights button can be used to revert to a lower level of rights.
Once this button is pushed all rights on that level will be set to preserve global
settings and the system will use the next level of rights.

Note
All Existing Devices that were added on that level will be deleted when the
restore is used.

3.3.2. Computer Settings

This section will allow the Administrator to edit the settings for each computer.
15 | Endpoint Protector | User Manual

Defining custom settings for all computers is not necessary, since a computer is
perfectly capable of functioning correctly without any manual settings defined. It
will do this by either inheriting the settings from the group it belongs to or, if not
possible, the global settings, which are mandatory and exist in the system with
default values from installation.

3.3.3. Computer History

This module shows all computers that were at least once connected to the
server. With the help of the “Export” button the logs can be saved to a CSV file,
while pressing the “View Machine log” will show the Logs Report page filtered for
the respective Computer.
16 | Endpoint Protector | User Manual

3.3.4. Terminal Servers and Thin Clients

The capability to control file transfers on RDP storage between Thin Clients and
Windows Terminal Servers can be enforced through Endpoint Protector, as
detailed below.

3.3.4.1. Initial Configuration

The process starts with the menu view from Device Control > Computers,
namely the action to Mark as Terminal Server .

After successfully marking the desired computer in the system as a Terminal

Server, a distinctive will be displayed for ease of identification, as seen
below:

Note
The computers that can be targeted by this action are strictly Windows
Servers with Terminal Server roles properly configured

Information
Make sure that there is at least one Terminal Server license available when
the action Mark as Terminal Server is performed.

If the Terminal Server is successfully marked, a new device type will appear
when choosing to Edit it under Device Control > Computers > Computer Rights.

The settings for the Terminal Server specific Device Types are: Preserve Global
Settings, Allow Access, Deny Access and Read Only Access.
17 | Endpoint Protector | User Manual

An Allow Access right set to the RDP Storage device type will enable all users
that connect to the Terminal Server by RDP to transfer files to and from their
local disk volume or shared storage devices such as USBs.

By contrast, a Deny Access right set to the RDP Storage will not allow any user
that connects to the Terminal Server by RDP to transfer files to and from their
local disk volume or shared storage devices such as USBs.

Note
The option to Use User Rights must be checked in the settings bar from
System Configuration > System Settings > Endpoint Rights Functionality
for the rights policy to apply on user logins with user priority.

Secondly, the menu from Device Control > Users > Rights will present an
additional device type for all the users in Endpoint Protector, namely Thin Client
Storage (RDP Storage).

Multiple users can be recognized as active users on any given Terminal Server,
and so, this rights setting can be used as a powerful tool to create access policies
to specific users, as detailed in the use case below.
18 | Endpoint Protector | User Manual

On a Windows Terminal server, the Endpoint Protector Client will display RDP
Storage disks shared by one or multiple Thin Clients as seen below.

3.4. Users
From this section, the Administrator can manage all the users in the system.
Users are defined as the end users who are logged on a computer on which the
Endpoint Protector Client software is installed. Any new user will be automatically
added to the database, thus making them manageable.
19 | Endpoint Protector | User Manual

A user is identified by information like Name (User, First Name, Last Name),
Department, Contact Details (Phone, E-mail) and others and is also automatically
assigned to a computer.

The Administrator can manually create a new user at any time by providing the
user’s parameters and information mentioned above. Users can also be imported
into Endpoint Protector from Active Directory.

Information
For more details about Active Directory, please see chapter 12.1 Active
Directory Import.

There are two users created by default during the installation process of Endpoint
Protector:

noUser – is the user linked to all events performed while no user was logged
into the computer. Remote users’ names who log into the computer will not be
logged and their events will be stored as events of noUser. Another occurrence of
noUser events would be to have an automated script/software which accesses a
device when no user is logged in to the specific computer.

autorunUser – indicates that an installer has been launched by Windows from

the specific device. It is the user attached to all events generated by the
programs launched from the specific device when Autoplay is enabled in the
Operating System.

Information
Depending on the OS, additional system users can appear:
- _mbsetupuser (for macOS, during updates)
- 65535, 62624, etc. (for Linux, during locked screens)

The Actions column offers multiple option related to user’s management like Edit,
Manage Rights, History and Delete.

3.4.1. User Rights

The User Rights can be accessed by going in the Actions column for the specific
computer and selecting Manage Rights. This section is built around the
computers, allowing the Administrator to specify what Device Types and also
what Existing Devices can be accessible.
20 | Endpoint Protector | User Manual

Information
The Restore Global Rights button can be used to revert to a lower level of
rights. Once this button is pushed all rights on that level will be set to
preserve global settings and the system will use the next level of rights.

Note
All Existing Devices that were added on that level will be deleted when the
restore is used.

3.4.2. User History

This module shows all users that were at least once connected to the server.
With the help of the “Export” button the logs can be saved to a .csv file, while
pressing the “View User log” will show the Logs Report page filtered for the
respective User.
21 | Endpoint Protector | User Manual

3.5. Groups
From this section, the Administrator can manage all the groups in the system.
Grouping computers and users will help the Administrator manage rights, or
settings for these entities in a more efficient way.

A group is identified by information like Name and Description, as well as based

on the entities (Computers and Users).

The Administrator can manually create a new group at any time by providing the
group information mentioned above. Groups can also be imported into Endpoint
Protector from Active Directory.
22 | Endpoint Protector | User Manual

Information
For more details about Active Directory, please see chapter 12.1 Active
Directory Import.

The Actions column offers multiple option related to group’s management like
Edit, Manage Rights, Manage Settings, History and Delete.

3.5.1. Group Rights

The Group Rights can be accessed by going in the Actions column for the specific
group and selecting Manage Rights. This section is built around the group,
allowing the Administrator to specify what Device Types and also what Existing
Devices can be accessible.

This section is similar to the Computer Rights section, the difference being that it
applies to all the computers that are part of the group simultaneously.

3.5.2. Group Settings

This section will allow the administrator to edit the settings for each group.
23 | Endpoint Protector | User Manual

We mentioned earlier that computers and users can be grouped in order to make
editing the settings easier and more logical. Defining custom settings for all
groups is not necessary, since a computer is perfectly capable of functioning
correctly without any granular settings defined. It will do this by either inheriting
the settings from the group it belongs to or, if not possible, the global settings,
which are mandatory and exist in the system with default values from
installation.

3.6. Global
From this section, the Administrator can manage the entire system. The
Administrator can specify what rights and settings apply globally, to all Endpoint
Protector entities.

Note
If device rights or other settings will be configured granularly for entities,
the priority order, starting with the highest, will be:
Devices > Computers | Users > Groups > Global.

3.6.1. Global Rights

This section relates to the entire system, allowing the Administrator to specify
what Device Types and also what Existing Devices can be accessible.
24 | Endpoint Protector | User Manual

3.6.1.1. Device Types

Endpoint Protector supports a wide range of device types, which represent key
sources of security breaches. These devices can be authorized, which makes it
possible for the users to view, create, or modify their content and for
administrators to view the data transferred to and from the authorized devices.

 Removable Storage Devices

 Normal USB Flash Drives, U3 and Autorun Drives, Disk on Key, etc.

 USB 1.1, USB 2.0, USB 3.0

 Memory Cards - SD Cards, MMC Cards, and Compact Flash Cards, etc.

 Card Readers - internal and external

 CD/DVD-Player/Burner - internal and external

 Digital Cameras

 Smartphones / Handhelds / PDAs (includes Nokia N-Series,

Blackberry, and Windows CE compatible devices, Windows Mobile
devices, etc.)

 iPods / iPhones / iPads

25 | Endpoint Protector | User Manual

 MP3 Player / Media Player Devices

 External HDDs / portable hard disks

 FireWire Devices

 PCMCIA Devices

 Biometric Devices

 Bluetooth

 Printers (applies to serial, USB and LTP connection methods)

 ExpressCard (SSD)

 Wireless USB

 LPT/Parallel ports *applies only to storage devices

 Floppy disk drives

 Serial ATA Controllers

Depending on the device type, besides the Allow and Deny Access rights,
additional rights are olso available. These include Read-Only Access or multiple
combinations of Allow Access but with various limitations, such as Allow access
but exclude from CAP scanning or Allow Access if TrustedDevice Level 1 to 4.

Information
The TrustedDevices™ technology integrated within Endpoint Protector is
available in four security levels, depending on the degree of protection
offered by a device (trusted devices using EasyLock™ are TD level 1).

For more information on TrustedDevices™ and EasyLock™, please see

chapter 16.2.1 Trusted Devices.

Tips
WiFi – Block if wired network is present
With this option the administrator can disable the WiFi connection, while a
wired network connection is present. The WiFi connection will be available
when the wired network is not present.
26 | Endpoint Protector | User Manual

Note
By default, the majority of device types are blocked. However, as a
working internet connection or wireless keyboards are needed during the
configuration process, several devices are set to Allow Access. These
include WiFi, Bluetooth, Network Share, Additional Keyboard and USB
Modem.

3.6.1.2. Existing Devices

With this option the administrator can give or deny access to a specific device. It
is a granular feature that can either be set Globally or, per Group, User or
Computer.

Tips
Existing Devices is a granular feature that can either be set Globally or, per
Group, User or Computer. It can be accessed from the Manage Right action
from each entity/section.

By clicking the + (plus) button at the bottom of the page, under “Already
Existing Devices”, the Administrator can select the desired device.

The Device Wizard will appear, allowing the selection and management of the
device rights.
27 | Endpoint Protector | User Manual

Saving the changes will display the device in the “Already Existing Devices”
section.

To add more devices or to edit a device, simply repeat the steps mentioned
above.

Information
The File Whitelisting feature is also available for USB storage devices that
are have allows access. For more details about File Whitelisting, please see
chapter 3.8 File Whitelists.

3.6.2. Global Settings

This section holds the global settings, which influence all computers within the
system. If there are no settings defined granularly for a computer, and it does
not belong to a group, these are the settings it will inherit. If the computer
belongs to a group, then it will inherit the settings of that group.
28 | Endpoint Protector | User Manual

The settings available in this section are listed below:

Refresh Interval (in seconds) – represents the time interval at which the client
will send a notification to the server with the intent to inform the server of its
presence in the system. The server will respond by checking the settings and
rights and updating them if needed, so the client can behave accordingly.

Log Upload Interval (in minutes) – represents the maximum time interval at
which the client will send the locally stored log information to the server. This
time interval can be smaller than the default value in case the log size is greater
than the Local Log Size setting.

Local Log Size (in kilobytes) – represents the maximum size of the log which
can be stored by the client on the client pc. If this value is reached then the
client will send this information to the server.
This mechanism is optimal when a client computer has a lot of activity, because
it will send the information very quickly to the server, so the administrator can
be informed almost instantly about the activities on that computer.

Shadow Upload Interval (in minutes) – represents the maximum time interval
at which the client will send the locally stored shadow information to the server.

Local Shadow Size (in megabytes) – represents the maximum size of

shadowed files stored by the client on a client PC. When this value is reached,
the client will start overwriting existing files in order for it to not exceed the
specified limit.

Minimum File Size for Shadowing (in kilobytes) – represents the minimum
file size that should be shadowed. If a value is set here than files smaller in size
than that value will not be shadowed.
29 | Endpoint Protector | User Manual

Maximum File Size for Shadowing (in kilobytes) – represents the maximum
file size that should be shadowed. If a value is set here, then files larger in size
than that value will not be shadowed.

Additionally, File Tracing, File Shadowing and enabling Custom Client

Notifications are also powerful features that can be set from this section. They
will be explained in their own subsections below, due to their importance.

3.6.2.1. File tracing

The File Tracing feature allows monitoring of data traffic between protected
clients and portable devices. It shows what files were copied, to which location,
at what time and by which user. It also shows other actions that took place, such
as file renamed, deleted, accessed, modified, etc. It can be enabled from Device
Control > Global > Settings, or granularly for Groups or Computers.

File Tracing is an essential feature for administrators since they can keep track of
all data that is being transferred to and from devices. All traffic is recorded and
logged for later auditing. Depending on each administrator’s needs, File Tracing
can be enabled on all supported Removable Devices (including or not eSATA
HDDs) or Network Shares.

File Tracing can be disabled for specific file types using the Exclude Extensions
from Tracing option.

Note
Prior to Endpoint Protector 4.5.0.1, the Detect Copy Source option needed
to be checked. It is now enabled by default, however, we recommend
using the related Endpoint Protector Client versions.

3.6.2.2. File Shadowing

The File Shadowing feature extends the information provided by File Tracing,
creating exact copies of files accessed by users. The creation of shadow copies
can be triggered by the following events: file copy, file write, and file read.
Events such as file deleted, file renamed, etc. do not trigger the function.
30 | Endpoint Protector | User Manual

Similar to File Tracing, shadowing of files can be enabled from the Endpoint
Settings section. Please note, however, that this feature cannot be used without
enabling the File Tracing feature.

Depending on each administrator’s needs, File Shadowing can be enabled on all

supported Removable Devices (including eSATA HDDs and Network Shares, if
selected) or Content Aware Protection (file transfers through various exist points
such as online applications, printers, clipboard, etc.) and E-mail Body.

File Shadowing can be disabled for specific file types using the “Exclude
Extensions from Shadowing” option.

Advanced settings such as minimum file size to be shadowed and shadowing

upload interval can also be configured.

Note
File Shadowing can be delayed due to network traffic and Endpoint
Protector Settings for different computers or file sizes. Shadowed files are
usually available after a few minutes.

Tips
For large base installations (such as 250-1000 endpoints) we strongly
advise to activate File Shadowing for up to 15% of your virtual or
hardware appliance total endpoint capacity (e.g. for an A1000 Hardware
Appliance, File Shadowing should be set to a maximum of 150 endpoints
for optimal performance).

3.7. Custom Client Notifications

This section allows the Administrator to edit the notification messages that
appear on the Endpoint Protector Client. Custom Client Notifications can be
globally enabled from Device Control > Global Settings. It can also be
31 | Endpoint Protector | User Manual

individually checked on computers or groups, from their specific Settings

sections.

By selecting a Device Type, the Results section will display the editable
languages available.

To edit the messages for a specific language, click on Actions.

In the example below we set the message as “Message from Endpoint Protector
– This device is not allowed!”

Some Administrators might want not to display some notifications, while showing
others. This can be done by (not) ticking the box for the specific message.

3.8. File Whitelists

This section allows the Administrator to control the transfer of only authorized
files to previously authorized portable storage devices.
32 | Endpoint Protector | User Manual

The Administrator can manage which files can be copied to removable devices,
and which cannot by uploading the whitelisted files to the Endpoint Protector
Server.

Note
The File Whitelists will not apply to files copied from external sources onto
computers. Moreover, if the Content Aware Protection module is activated
and Policies set, they will have priority and also apply to the Files
Whitelisted here.

3.9. Custom Classes

This section provides the Administrator with the option to create new classes of
devices for an easier management. It is a powerful feature, especially for devices
belonging to the same vendor and/or being the same product (same VID and/or
PID).

A new Custom Class can be created by pressing on the Add New button or
double clicking on the Create your own policy.
33 | Endpoint Protector | User Manual

Before adding devices to a Custom Class, the Name, Description and Rights
(Deny Access, Allow Access, Read Only Access, etc.) need to be provided and
saved.

Once this is done, there are multiple ways of adding devices to a Custom Class:

 Add new device – will open a pop-up, allowing each device to be added
based on Vendor ID, Product ID and Serial Number. Pressing on the green
plus button will provide the option to continue adding devices.

 Add existing device – will open a pop-up, allowing the selection of

devices previously connected to protected computers and subsequently
already available in the Endpoint Protector database.

 Add Serial Number range – will open a pop-up, allowing multiple

devices to be added at the same time, by specifying the first and last
Serial Number in the range. The recommended use for this feature is for
devices that have a consecutive range, with a clear, noticeable pattern.
34 | Endpoint Protector | User Manual

Note
Although this feature can actually work in situations where the Serial
Number range does not follow a noticeable pattern, this is not
recommended. In these type of situations, some devices will be ignored by
Endpoint Protector and the Custom Class will not have the desired effect.

 Add bulk devices – will open a pop-up, allowing up to 500 devices with
the same type to be added. There are two methods to choose from, either
importing a list or by simply pasting the information.

Once the devices have been added, the inside of a Custom Class will look similar
to the below image.
35 | Endpoint Protector | User Manual

When multiple Custom Classes have been created, the user interface for this
section is set by default to resemble the below shown. However, a list view is
also available by clicking the Switch to list view button.

Example
For the case above, we created a Custom Class CD-ROM Allow and set
Allow access rights to devices of type CD-ROM /DVD-ROM. Let’s say that
CD-ROMs have Deny access rights set on Client PC CIP0. Once the custom
class CD-ROM Allow is created and Custom Classes is enabled, all the CD-
ROMs/DVD-ROMs will have access, even if on the Client PC CIP0 they have
Deny access.
36 | Endpoint Protector | User Manual

4. Content Aware Protection

This module allows the Administrator to setup and enforce strong content
filtering policies for selected users, computers, groups or departments and take
control over the risks posed by accidental or intentional file transfers of sensitive
company data, such as:

 Personally Identifiable Information (PII): social security numbers (SSN),

driving license numbers, E-mail addresses, passport numbers, phone
numbers, addresses, dates, etc.

 Financial and credit card information: credit card numbers for Visa,
MasterCard, American Express, JCB, Discover Card, Dinners Club, bank
account numbers etc.

 Confidential files: sales and marketing reports, technical documents,

accounting documents, customer databases etc.

To prevent sensitive data leakage, Endpoint Protector closely monitors all activity
at various exit points:

 Transfers on portable storage and other media devices (USB Drives,

external HDDs, CDs, DVDs, SD cards etc.), either directly or through
encryption software (e.g. EasyLock)

 Transfers on local networks (Network Share)

 Transfers via Internet (E-mail Clients, File Sharing Application, Web

Browsers, Instant Messaging, Social Media, etc.)

 Transfers to the cloud (iCloud, Google Drive, Dropbox, Microsoft SkyDrive,

etc.)

 Transfers through Copy & Paste / Cut & Paste

 Print screens
37 | Endpoint Protector | User Manual

 Printers and others

4.1. Content Aware Protection Activation

Content Aware Protection comes as an optional feature with Endpoint Protector.
The module is displayed but will requires a simple activation by pressing the
Enable Feature button and providing contact details for the Main Administrator.

Content Aware Protection comes as the second level of data protection available
in Endpoint Protector. The module is displayed but will requires a simple
activation by pressing the Enable button. If not previously provided, the contact
details of the Main Administrator will be required.

Information
Any details provided will only be used to ensure the Live Update Server is
configured correctly and that the Content Aware Protection module was
enabled successfully.

Note
The Content Aware Protection module is separate from Device Control or
eDiscovery modules, and requires separate licensing.

4.2. Dashboard
This section offers a quick overview in the form of graphics and charts related to
the Content Aware Protection module. Information like the latest File Transfers,
blocked File Types, Most Active Policy, Most Blocked Applications, Most Active
38 | Endpoint Protector | User Manual

Users, latest Content Aware Alerts and Computers and Users without Policies are
also displayed.

4.3. Content Aware Policies

Content Aware Policies are sets of rules for sensitive content detection and they
enforce file transfers management on selected entities (users, computers,
groups, departments). A content aware policy is made up of four elements:

 Policy Type: defines the OS type for which it applies – Windows, Mac OS X
or Linux

 Policy Action: defines the type of action to be performed – reporting only

or blocking and reporting of sensitive content transfers

 Exit Points: establishes the transfer destinations to be monitored

 Policy Filter: specifies the content to be detected – it includes file type

filtering, predefined content filtering, custom content filtering, file
whitelists, regular expressions and domain whitelists.

Example
A policy can be setup for the Financial Department of the company to block
Excel reports sent via E-mail or to report all transfers of files containing
personally identifiable and financial information (e.g. credit card numbers,
E-mail, phone numbers, social security numbers etc.).

Each company can define its own sensitive content data lists as Custom Content
Dictionaries corresponding to their specific domain of activity, targeted industry
39 | Endpoint Protector | User Manual

and roles. To ease this task, the Content Aware Protection module comes with a
Predefined Content Dictionary that covers the most used sets of confidential
terms and expressions.

Note
Content Aware Policies also apply to File Whitelist (Device Control > File
Whitelist). This means that all files that were previously whitelisted will be
inspected for sensitive content detection, reported and / or blocked,
according to the defined policy.

Information
Exactly like Device Control policies, the Content Aware Protection policies
continue to be enforced on a computer even after it is disconnected from
the company network.

Exactly like Device Control policies, the Content Aware policies continue to be
enforced on a computer even after it is disconnected from the company network.

4.3.1. Creating a Content Aware Protection Policy

The administrator can easily create and manage Content Aware Policies from the
Content Aware Protection > Content Aware Policies section.

A new policy can be created by clicking on the Create your own policy icon. An
existing policy can be edited by double-clicking the upper part of the policy icon.
40 | Endpoint Protector | User Manual

Information
The option to edit, duplicate or delete a policy is available after selecting
the desired policy.

Tips
One or more Content Aware Policy can be enforced on the same computer,
user, group or department. To avoid any conflicts between the applied
rules, a prioritization of policies is performed through a left-to-right
ordering. The leftmost policy has the highest priority (Priority 1), while the
rightmost policy has the lowest priority. Changing priorities for one or
more policies can be performed by moving the policy to the right or to the
left with a simple click on the left arrow for higher priority or on the right
arrow for lower priority.

When creating a new policy, the Policy Information (e.g. OS Type, Policy Name,
and Policy Description), Policy Blacklists, Policy Whitelists and Policy Entities
(Departments, Groups, and Computers) have to be selected.

The Policy Status can be set to Report only or to Block & Report all transfers of
data that includes sensitive content.

Tips
Initially, we recommend using the Report only action in order to detect but
not block data transfers. This way, no activity will be interrupted and you
can gain a better view of data use across your network.

The Thresholds that can be used are:

 Threshold Type – Global or Regular

 There are two types of thresholds to choose from: Regular or Global.

41 | Endpoint Protector | User Manual

Example
Suppose that you have set up a Block & Report policy on the transfer
of Social Security Numbers (SSN) on some types of Internet
browsers. A Regular Threshold setup of four (4) will block all transfers
- on those browsers - which contain four or more individual SSN
numbers, but not 1, 2, 3 x SSN appearances. A set value of four (4)
will permit and only report those transfers.

In contrast to the Regular Threshold which blocks 4 or more threats

of the same type, the Global Threshold blocks 4 or more threats of
different types combined. In another example, two (2) threats, one
being a Social Security Number and the other being a Phone number,
will not be blocked by a policy with a Regular Threshold of 2, only by
one with a Global Threshold. On the other hand, two (2) Social
Security Numbers will be blocked by policies with both types of
thresholds set at two (2).

Tips
The Threshold option applies only to multiple filters, including
Predefined Content, Custom Content and Regular Expressions. As a
general rule, it is recommended that Block & Report policies that use
the Threshold should be placed with higher priority than Report Only
policies.

 Threat Threshold value – Threshold Value

File Size Threshold Not linked to the Regular and Global Threshold
mentioned above, The File Size Threshold value defines the size (in MB)
starting from which the file transfer is either blocked or reported.

To enable the File Size Threshold, a value bigger than 0 must be set.
To disable the File Size Threshold, 0 or no value must be set.

Note
If a File Size Threshold is set, it will be applied to the whole policy,
regardless of what file types or custom contents are checked inside
the policy. The value used in the File Size Threshold must be a
positive, whole number.
42 | Endpoint Protector | User Manual

Information
Depending on the specific application and OS, some limitations may
apply.

The exit points that can be monitored via the Controlled transfers to are:

 Applications

o Web Browsers (e.g. Internet Explorer, Chrome, Firefox, Safari, etc.)

o E-mail Clients (e.g. Outlook, Thunderbird, Lotus Notes, etc.)

o Instant Messaging (e.g. Skype, Pidgin, Google Talk, etc.)

o File Sharing (e.g. Google Drive Client, iCloud, Dropbox, DC++, etc.)

o Other (e.g. iTunes, Total Commander, GoToMeeting, etc.)

Note
Adobe Flash Player must be checked inside the Web
Browser category in order to block sites that use Adobe
Flash Active X.

Information
The complete list of controlled Applications can be found
directly in the Endpoint Protector User Interface.

 Storage Devices (the list of all controlled types can be viewed at System
Parameters > Device Types > Content Aware Protection)

Information
The complete list of controlled Applications can be found
directly in the Endpoint Protector User Interface.
43 | Endpoint Protector | User Manual

Note
For Windows, file transfers will be monitored both to and from
removable media.

 Network Share

Information
For Network Share for Macs, Endpoint Protector will report all
the events for Report Only policies. For Block & Report
policies the transfer from a Local Share towards the Local
Disk, Controlled Storage Device Types and Controlled
Applications are blocked.

 Thin Clients

 Clipboard (refers to all content captured through Copy & Paste or Cut &
Paste operations

 Print Screen (refers to the screen capture options)

 Printers (refers to both local and network shared printers)

The Blacklists that can be used are:

 File Type

Tips
Since many files (e.g. Programming Files) are actually .TXT
files, we recommend more precaution when selecting this file
type to avoid any undesired effects.

 Predefined Content

Tips
The majority of the Predefined Content items are country
specific (e.g. Australia, Canada, Germany, Korea, United
Kingdom, United States, .etc.). To avoid a large number of
logs or potential false positives, only enable the Passports
that apply to your region or sensitive data.

 Custom Content

 File Name
44 | Endpoint Protector | User Manual

 File Location

 Regular Expressions

 HIPAA

The Whitelists that can be used are:

 MIME Type

 Allowed Files

 File Location

 Network Share

 E-mail Domain

 URL Name

Information
For more details about Blacklists and Whitelist, please see chapter 6 DLP
Blacklists and Whitelists.

Note
The Content Aware Protection Policies continue to report and/or block
sensitive data transfers from protected computers even after they are
disconnected from the company network. Logs will be saved within the
Endpoint Protector Client and will be sent to the Server once connection
has been reestablished.

The final step in creating a policy is selecting the entities that it will apply to. The
entities that can be used are:

 Departments

 Groups

 Computers

 Users
45 | Endpoint Protector | User Manual

Tips
If a Content Aware Policy was already enforced on a computer, user, group
or department, when clicking on it, the corresponding network entities on
which it was applied will be highlighted.

4.3.2. Predefined policies

A second option is to use the Predefined policy button. This redirects the
administrator to two lists of predefined policies that come with Action set to
“Block and Report” by default, for both Windows and OS X. The administrator
can select by the description a policy of interest and press the “Create Policy”
button for it to be displayed in the list of active policies.

These policies are named as per the information found in the column “Name” and
have different Threshold values defined, as per the information found inside the
column “Threshold”.

4.3.3. Applying multiple Content Aware Policies

Content Aware Protection is a very versatile tool, where granular implementation
of the desired actions regarding report and/or block and report of files can be
performed.

A Content Aware Policy is a set of rules for reporting or blocking & reporting the
selected information. All the other options left unchecked will be considered as
Ignored by Endpoint Protector.

When applying two policies to the same PC, it is possible to block one type of file,
for example PNG files, when they are uploaded through Mozilla Firefox, while
with a second policy to report only PNG files when they are uploaded through
46 | Endpoint Protector | User Manual

Internet Explorer. In the same way it is possible to report only files that contain
confidential words from a selected dictionary that are sent through Skype, while
with the second policy to block the same files if they are sent through Yahoo
Messenger. Similarly, it is possible to create combinations that block a file type
or a file that contains predefined content/custom content/regular expression for
one application, while letting it through and report it only for another.

The following rules are used in the application of one or more Content Aware
Policies on a computer/user/group/department for each separately selected item
(e.g. a specific file type, predefined information or a custom content dictionary):

Policy A with Policy B with Policy C with Endpoint Protector

Priority 1 Priority 2 Priority 3 Action
IGNORED IGNORED IGNORED Information will not be
blocked or reported.

IGNORED IGNORED REPORTED Information will be

reported.

IGNORED REPORTED REPORTED Information will be

reported.

REPORTED REPORTED REPORTED Information will be

reported.

IGNORED IGNORED BLOCKED Information will be

blocked.

IGNORED BLOCKED BLOCKED Information will be

blocked.

BLOCKED BLOCKED BLOCKED Information will be

blocked.

IGNORED REPORTED BLOCKED Information will be

reported.

IGNORED BLOCKED REPORTED Information will be

blocked.

REPORTED IGNORED BLOCKED Information will be

reported.

BLOCKED IGNORED REPORTED Information will be

blocked.

REPORTED BLOCKED IGNORED Information will be

reported.

BLOCKED REPORTED IGNORED Information will be

blocked.
47 | Endpoint Protector | User Manual

Note
The information left unchecked when creating a policy will be considered as
Ignored by Endpoint Protector and not as Allowed.

4.3.4. HIPAA compliance

Any Content Aware Protection policy automatically becomes a HIPAA policy if any
options from the HIPAA tab are selected. The available options refer to FDA
approved lists and ICD codes.

However, in order for a HIPAA policy to be affective, Predefined Content and

Custom Content filters should also be enabled. These will automatically report or
block transfer files containing PII like Health Insurance Numbers, Social Security
Numbers, Addresses and much more.

A recommended HIPAA should be considered a Content Aware Policy that,

besides the options in the HIPAA tab, also has the below configuration:

 All the File Types recognized should be included.

 All Personal Identifiable Information should be Country Specific to the

United States (Address, Phone/Fax and Social Security Numbers)

 Both Internet Protocol Addresses Access should be selected

 The URL and Domain Whitelists options should also be checked

48 | Endpoint Protector | User Manual

HIPAA policies can be created and used on their own or in combination with
regular policies, for a better control of the data inside the network. These policies
are available for Windows, Mac OS X or Linux computers. They are marked in the
bottom right corner of the policy tab with a distinctive H.

4.3.4.1. Use Case Nr. 1

Suppose that Company X handles patient medical records that come in electronic
formats and which contain generic information such as: Patient Name, Address,
Birthdate, Phone number, Social Security Number and E-Mail address. The
company would like to block the transfer of this data through all the common
Windows desktop applications.

Knowing that the sensitive data comes in the format of a profile per patient, the
administrator can create a HIPAA policy like the one shown below:

This policy is set on Block & Report with a Global Threshold of 4. It scans the
Controlled Storage Device Types (which can be inspected from the System
Parameters > Device Types), the Clipboard and the Network Share as well as all
49 | Endpoint Protector | User Manual

the database of applications recognized by Endpoint Protector. This policy will

ONLY block the transfer of those files which contain 4 or more of the PII’s
selected inside the policy. All the files which happen to contain just 1 Address or
2 Phone Numbers or 2 E-mails will be transferred

4.3.4.2. Use Case Nr. 2

Company Y has a large database of patients’ sensitive information. This

information is stored in individual office files which contain ten (10) or even more
Personally Identifiable Information (PII) items per patient. Other than these files,
the company’s staff regularly uses some file which contain three (3) of the same
PIIs per file. Company Y would like to block the leakage of the files database
from its database that contain 10 or more items yet only report the transfer of
the files containing 3 items.

The administrator can setup a policy which will block the transfer of files
containing 10 PII’s by using a Global Threshold of 10, like in the policy shown
below:

Another HIPAA policy can be used to report the transfer of files which contain 3
items of the same kind by using a Regular Threshold set at 3, like the below
shown example:

Information
As mentioned earlier, the Block & Report policy will have the 1st priority
while the Report Only policy will be the 2nd.
50 | Endpoint Protector | User Manual

5. eDiscovery

This module allows the Administrator to create policies that inspect data residing
on protected Windows, Macs and Linux computers. The company’s data
protection strategy can be enforced and risks posed by accidental or intentional
data leaks can be managed. The Administrator can mitigate problems posed by
data at rest by discovering sensitive data, such as:

 Personally Identifiable Information (PII): social security numbers (SSN),

driving license numbers, E-mail addresses, passport numbers, phone
numbers, addresses, dates, etc.

 Financial and credit card information: credit card numbers for Visa,
MasterCard, American Express, JCB, Discover Card, Dinners Club, bank
account numbers etc.

 Confidential files: sales and marketing reports, technical documents,

accounting documents, customer databases etc.

5.1. eDiscovery Activation

eDiscovery comes as the third level of data protection available in Endpoint
Protector. The module is displayed but will requires a simple activation by
pressing the Enable button. If not previously provided, the contact details of the
Main Administrator will be required.

Information
Any details provided will only be used to ensure the Live Update Server is
configured correctly and that the eDiscovery module was enabled
successfully.
51 | Endpoint Protector | User Manual

Note
The eDiscovery module is separate from Device Control or Content Aware
Protection modules, and requires separate licensing.

5.2. eDiscovery Policies and Scans

eDiscovery Policies are sets of rules for sensitive content detection for data
stored on protected computers. An eDiscovery Policy is made up of five main
elements:

 OS Type: the OS it applies to (Windows, Mac or Linux)

 Thresholds: the number of acceptable violations

 Policy Blacklists: the content to be detected

 Policy Whitelists: the content that can be ignored

 Entities: the departments, groups or computers is applies to

Information
Once the eDiscovery Policies, the desired type of Scan, the desired type of
eDiscovery Scan needs to be selected.

eDiscovery Scans are sets of rules for Policies, defining when the data discovery
to start. There are several type of scans:

 Clean scan: stars a new discovery (from scratch)

52 | Endpoint Protector | User Manual

 Incremental scan: continues the discovery (skipping the previously

scanned files)

An eDiscovery Scan can be stopped at any time as results can also be

automatically cleared. This can be done by using:

 Stop scan: stops the scan (but does not affect the logs)

 Stop scan and clear scan: stops the scan and clears the logs

Note
The Global Stop and Clear button can be used in situations where all the
eDiscovery Scans need to be stopped and all the Logs cleared.

5.2.1. Creating an eDiscovery Policy and Scan

The Administrator can easily create and manage eDiscovery Policies and Scans
from eDiscovery > Policies and Scans section.

A new policy can be created by clicking on the Create Custom Policy button. An
existing policy can be edited by double-clicking on it.

Information
The option to edit, duplicate or delete a policy are available after selecting
the desired policy.
53 | Endpoint Protector | User Manual

The Thresholds that can be used are:

 Stop at Threat Threshold

 Threat Threshold value

 File Size Threshold

Information
More details about Thresholds can be found directly in the Endpoint
Protector User Interface.

The Blacklists that can be used are:

 File Type

Tips
Since many files (e.g. Programming Files) are actually .TXT
files, we recommend more precaution when selecting this file
type to avoid any undesired effects.

 Predefined Content

 Custom Content
54 | Endpoint Protector | User Manual

 File Name

 Regular Expressions

 HIPAA

The Whitelists that can be used are:

 MIME Type

 Allowed Files

Information
For more details about Blacklists and Whitelist, please see chapter 6 DLP
Blacklists and Whitelists.

After the eDiscovery Policy has been created, Scanning Actions can be assigned.
These include Start clean scan, Start incremental scan, Stop scan and Stop scan
and clear logs.

Note
Exactly like Content Aware Protection Policies, the eDiscovery Policies and
Scans continue to detect sensitive data stored on protected computers
even after they are disconnected from the company network. Logs will be
saved within the Endpoint Protector Client and will be sent to the Server
once connection has been reestablished.

5.3. eDiscovery Scan Result and Actions

After an eDiscovery Scan stars, the found items can be inspected and
remediation actions (e.g. delete on target, encrypt on target, decrypt on target,
etc.). All results are displayed in eDiscovery > Scan Results and Actions section.
55 | Endpoint Protector | User Manual

Tips
The Scan Results and Actions section can also be accessed directly from
eDiscovery > Policies and Scans by selecting a computer from the
eDiscovery Scans list and choosing the Inspect found items action. This will
automatically filter the Scan Results list and display the items only for that
specific computer.

5.3.1. Viewing Scan Results and taking Actions

From this section, the Administrator can manage the scan results. A list with all
the computers that were scanned can be viewed and actions such as deleting,
encrypting or decrypting files can be taken.
56 | Endpoint Protector | User Manual

The Administrator can apply the desired action to each item individually or, can
select multiple items and apply the desired action simultaneously by using the
Choose action button.
57 | Endpoint Protector | User Manual

6. DLP Blacklists and

Whitelists

From this section, the Administrator can create Blacklists and Whitelists that can
be used in both the Content Aware Protection and eDiscovery modules. Once
defined, these blacklist and whitelist can be enabled in the desired Policy. The list
of all Blacklists and Whitelists will be detailed below.

Note
Some Blacklist and Whitelists are OS related (e.g. E-mail Domain and URL
Name are only available for Windows) or are not available for both
modules.

6.1. File Type Blacklists

The content inspection functionally within Endpoint Protector can identify multiple
file types. Additional file types are continually added, extending the available list
with each Endpoint Protector Update. The Administrator can define what file
types a Content Aware Protection or eDiscovery Policy scans for, but cannot
directly extend the supported file type list. Since this is a predefined list, it only
requires the Administrator to select the desired content from the File Type
Content tab, within a Policy. This process has already been detailed in earlier
paragraphs.
58 | Endpoint Protector | User Manual

Information
File Type Blacklists are available for both the Content Aware Protection and
eDiscovery modules.

Note
File Type Blacklists refer to the true type of a file. If a user tries to
circumvent the content inspection mechanism by manually changing the
extension of the file, Endpoint Protector will still detect it.

6.2. Predefined Content Blacklists

Predefined Content Blacklists are predefined lists of terms and expressions to be
detected as sensitive content by Endpoint Protector. Since this is a predefined
list, it only requires the Administrator to select the desired content from within a
Policy, from the Predefined Content tab.
59 | Endpoint Protector | User Manual

Information
Predefined Content Blacklists are available for both the Content Aware
Protection and eDiscovery modules.

Predefined Content Blacklist include:

 Credit Cards

MasterCard, Visa, Amex, Diners, Discover, JCB

 Personal Identifiable Information

IBAN, Date, E-mail, Address, etc.

 Social Security Numbers (SSNs)

 Identifiers (IDs)

 Passports

 Tax IDs

 Driving Licenses

 Health Insurance Numbers

60 | Endpoint Protector | User Manual

Tips
The majority of the Predefined Content items are country specific (e.g.
Australia, Canada, Germany, Korea, United Kingdom, United States, .etc.).
To avoid a large number of logs or potential false positives, only enable the
Passports that apply to your region or sensitive data.

6.3. Custom Content Blacklists

Custom Content Blacklists are custom defined lists of terms and expressions to
be detected as sensitive content by Endpoint Protector. The list of custom
dictionaries is available under DLP Blacklists and Whitelists > Blacklists > Custom
Content tab.

Information
Custom Content Blacklists are available for both the Content Aware
Protection and eDiscovery modules.

The available actions for each dictionary are: Edit, Export and Delete.

A new dictionary can be created by clicking on the Add button. To populate the
content of a newly created dictionary, items of at least three characters can be
entered either manually (typed or pasted) or imported.
61 | Endpoint Protector | User Manual

Once a new dictionary is created, it will be automatically displayed inside the

Custom Content tab. It will also be available when creating or editing a Content
Aware Protection or eDiscovery Policy.

6.4. File Name Blacklists

File Name Blacklists are custom defined lists of file names detected by Endpoint
Protector. The list of file names is available under DLP Blacklists and Whitelists >
Blacklists > File Name tab.

Information
File Name Blacklists are available for both the Content Aware Protection
and eDiscovery modules.
62 | Endpoint Protector | User Manual

The available actions for each file name are: Edit, Export and Delete.

A new file name blacklist can be created by clicking the Add button. To populate
the content of a newly created file name blacklist, items of at least two
characters can be entered either manually (typed or pasted) or imported.

The content can be defined in multiple ways. It can be just the file name, file
name and extension or just the extension.

Example
If "example.pdf" filename is used then all files that end in example.pdf will
be blocked (e.g. example.pdf, myexample.pdf, test1example.pdf).

If ".epp" extension is used then all files that have the .epp extension will
be blocked (e.g. test.epp, mail.epp, 123.epp).

Once a new file name blacklist is created, it will automatically be displayed inside
the File Name tab. It will also be available when creating or editing a Content
Aware Protection or eDiscovery Policy.

Note
For Content Aware Protection, the File Name Blacklists work only for Block
& Report type Policies. The Case Sensitive and Whole Words Only features
do not apply.
63 | Endpoint Protector | User Manual

6.5. File Location Blacklists

File Location Blacklists are custom defined lists of locations identified by Endpoint
Protector. File transfers within this location are automatically blocked, regardless
of the content inspection rules or permissions defined in various Policies. The list
of locations is available under DLP Blacklists and Whitelists > Blacklists > File
Location tab.

Note
In addition to defining the File Location Blacklist, the browser or application
used to transfer files also needs to be selected from within the Content
Aware Protection Policy.

Tips
By default, the File Location Blacklists apply to all files located in the
specific folder but also to any other files located in containing subfolders.
While the “Include subfolders for File Location Blacklists” feature can be
switched OFF, it will affect all other File Location Blacklists and Whitelists
throughout the system.

Information
File Location Blacklists are available only for the Content Aware Protection
module.

The available actions for each file name are: Edit, Export and Delete.
64 | Endpoint Protector | User Manual

A new file location blacklist can be created by clicking the Add button. To
populate the content of a newly created file location blacklist, items can be
entered manually (typed or pasted). The computers to which it applies also need
to be selected from the list on the right side.

6.6. Regex Blacklists

By definition, Regular Expressions are sequences of characters that form a
search pattern, mainly for use in pattern matching with strings. An Administrator
can create a regular expression in order to find a certain recurrence in the data
that is transferred across the protected network.

Information
Regex Blacklists are available for both the Content Aware Protection and
eDiscovery modules.

The available actions for each file name are: Edit, Export and Delete.

A new file regex blacklist can be created by clicking the Add button. Regular
Expressions can be tested for accuracy. Insert into the Enter test content box a
general example of something on which the regex applies to, and press the Test
65 | Endpoint Protector | User Manual

button. If the Regular Expression has no errors inside of it, then the same
content should appear into the Matched content box, as shown below:

Example
To match an E-mail:
[-0-9a-zA-Z.+_]+@[-0-9a-zA-Z.+_]+\.[a-zA-Z]{2,4}

Example
To match an IP:
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-
9][0-9]?)){3}

Note
If possible, avoid using Regular Expressions, as their complexity typically
increases the resources usage. Using a large number of regular
expressions as filtering criteria typically increases CPU usage. Also,
improper regular expressions or improper use can have negative
implications.

This feature is provided “as is” and requires advanced knowledge of the
Regular Expression syntax. No direct support is offered and it is the
responsibility of the customers to learn and implement regular expressions
and to thoroughly test.

6.7. MIME Type Whitelists

The content inspection functionally within Endpoint Protector identifies multiple
file types. While some files (e.g. Word, Excel, PDFs, etc.) can contain confidential
information (e.g. PIIs, SSNs, Credit Cards, etc.), other files are highly unlikely to
contain such data (e.g. .dll, .exe, .mp3, .avi, etc.).

The purpose of the MIME Type Whitelists is to eliminate the use of resources to
inspect redundant and unnecessary files for content, as well as reducing false
66 | Endpoint Protector | User Manual

positives due to information detected in the metadata of files where the risk of
data loss is extremely low.

Example
As songs or video files cannot contain lists of credit card numbers, there is
no need to inspect them using content filters.

Information
MIME Type Whitelists are available for both the Content Aware Protection
and eDiscovery modules and apply to Custom Content, Predefined Content
and Regular Expressions.

Tips
By default, graphic files, media files, some password protected achieve
files and some system files are automatically defined within the MIME Type
Whitelists. While this can easily be changed, we recommend only doing so
after gaining a deeper understanding of the type of data transferred used
or stored by the users in your system and the susequental logs increase in
the Endpoint Protector Server.

The list of MIME types is available under DLP Blacklists and Whitelists >
Whitelists > MIME Type tab.
67 | Endpoint Protector | User Manual

6.8. Allowed Files Whitelists

Allowed Files Whitelists are custom groups of files which the administrator wishes
to exclude from sensitive content detection by Endpoint Protector. The group of
allowed files is available under DLP Blacklists and Whitelists > Whitelists >
Allowed Files tab.

Information
Allowed Files Whitelists are available for both the Content Aware Protection
and eDiscovery modules.

The available actions for each dictionary are: Edit, Export and Delete.

A new allowed file whitelist can be created by clicking on the Add button. To
populate the content of a newly created whitelist, allowed files need to be
uploaded to the Endpoint Protector Server. Once file are uploaded, they can be
used in multiple whitelists.

Once a new whitelist is created, it will be automatically displayed inside the

Allowed File tab. It will also be available when creating or editing a Content
Aware Protection or eDiscovery Policy.
68 | Endpoint Protector | User Manual

6.9. File Location Whitelists

File Location Whitelists are custom defined lists of locations identified by
Endpoint Protector. File transfers within this location are automatically allowed,
regardless of the content inspection rules or permissions defined in various
Policies. The list of locations is available under DLP Blacklists and Whitelists >
Whitelists > File Location tab.

Note
In addition to defining the File Location Whitelist, the browser or
application used to transfer files also needs to be selected from within the
Content Aware Protection Policy.

Tips
By default, the File Location Whitelists apply to all files located in the
specific folder but also to any other files located in containing subfolders.
While the “Include subfolders for File Location Whitelists” feature can be
switched OFF, it will affect all other File Location Blacklists and Whitelists
throughout the system.

Information
File Location Whitelists are available only for the Content Aware Protection
module.

The available actions for each file name are: Edit, Export and Delete.
69 | Endpoint Protector | User Manual

A new file location whitelist can be created by clicking the Add button. To
populate the content of a newly created file location whitelist, items can be
entered either manually (typed or pasted). The computers to which it applies
also need to be selected from the list on the right side.

6.10. Network Share Whitelists

Network Share Whitelists are custom defined lists of network share addresses
where transfers of confidential information will be allowed by the Endpoint
Protector. The whitelisted network shares are available under DLP Blacklists and
Whitelists > Whitelists > Network Share tab.

Information
Network Share Whitelists are available only for the Content Aware
Protection module.

Note
In order for this feature to work accordingly, the Network Share must be
set to Allow Access and Scan Network Share must be checked inside a
Content Aware Protection Policy.
70 | Endpoint Protector | User Manual

The available actions for each dictionary are: Edit, Export and Delete.

A new network share file whitelist can be created by clicking on the Add button.
To populate the content of a newly created whitelist, the server name or IP
address can be used to define a network share path.

Note
The network share path should not begin with backslashes (\\).

Example
192.168.0.1\public\users\test; fileserver\documents\example

Once a new whitelist is created, it will be automatically displayed inside the

Network Share tab. It will also be available when creating or editing a Content
Aware Protection Policy.

6.11. E-mail Domain Whitelists

Note
This feature is only available for Microsoft Outlook and Mozilla Thunderbird
(up to v. 38.0) for Windows computers. Outlook requires the related add-
on to be deployed alongside the Endpoint Protector Client.

For more information, please read our FAQ.

E-mail Domain Whitelists are custom defined e-mail addresses to which sending
of confidential information will be allowed by the Endpoint Protector. The list of
71 | Endpoint Protector | User Manual

file URL names is available under DLP Blacklists and Whitelists > Whitelists > E-
mail Domain tab.

Information
E-mail Domain Whitelists are available only for the Content Aware
Protection module.

The available actions for each file name are: Edit, Export and Delete.

Once a new E-mail domain whitelist is added, it will be automatically displayed

inside the E-mail Domain Whitelists tab. It will also be available when creating or
editing a Content Aware Protection Policy.
72 | Endpoint Protector | User Manual

6.12. URL Name Whitelists

Note
This feature is only available for Interned Explorer for Windows computers.
It requires the related add-on to be deployed alongside the Endpoint
Protector Client.

URL Name Whitelists are custom defined lists web addresses where uploading of
confidential information will be allowed by the Endpoint Protector. The list of file
URL names is available under DLP Blacklists and Whitelists > Whitelists > URL
Name tab.

Information
URL Name Whitelists are available only for the Content Aware Protection
module.

The available actions for each file name are: Edit, Export and Delete.

A new URL name blacklist can be created by clicking the Add button. To populate
the content of a newly created URL name whitelist, items of at least two
characters can be entered either manually (typed or pasted) or imported.
73 | Endpoint Protector | User Manual

Once a new URL name is created, it will be automatically displayed inside the
Custom Content tab. It will also be available when creating or editing a Content
Aware Protection Policy.

Note
The defined URL should only contain the name and the domain and not any
prefixes like www.*, www2.* or en.*.

Example
endpointprotector.com (not www.endpointprotector.com)

Once a new URL name whitelist is added, it will be automatically displayed inside
the URL Name Whitelists tab. It will also be available when creating or editing a
Content Aware Protection Policy.
74 | Endpoint Protector | User Manual

7. Enforced Encryption

7.1. EasyLock
EasyLock is a cross-platform solution that protects data with government-
approved 256bit AES CBC-mode encryption. For USB devices, it needs to be
deployed on the root of the device. With the intuitive Drag & Drop interface, files
can be quickly copied to and from the device.

Information
For more details about using EasyLock itself, please reference the
EasyLock User Manual.

Used in combination with Endpoint Protector, EasyLock allows USB storage

devices to be identified as Trusted Devices Level 1. This can ensure that USB
Enforced Encryption is used on protected computers. Accessing data stored on
the device can be done via the password the user configured or via a Master
75 | Endpoint Protector | User Manual

Password set by the Endpoint Protector administrator. The encrypted data can be
opened by any user only after it is decrypted, therefore requiring the user to
copy the information out of EasyLock.

Note
While Endpoint Protector can detect any EasyLock USB encrypted device as
a Trusted Device Level 1, to use the Enforced Encryption feature, a specific
EasyLock version must be used. This is available for the Endpoint Protector
User Interface.

7.1.1. EasyLock Deployment

Information
EasyLock Enforced Encryption is supported for both Mac and Windows
computers.

Deployment can be done automatically if “Allow Access if Trusted Device Level

1+” is selected for the USB Storage Devices. This can be done by going to Device
Control > Global Rights section or using the quick links provided, as per the
image above.

Manual deployment is also available. Download links for both Windows and the
Mac are available in this section. The downloaded EasyLock file must be copied
onto the USB storage device and executed from the root of the device. Due to
extended security features for manual deployment, EasyLock will have to be
redownloaded from the Endpoint Protector interface each time it will be used to
encrypt a new USB storage device.

Both EasyLock deployments are straight forward and require the user only to
configure a password.
76 | Endpoint Protector | User Manual

Note
On Macs, USB storage devices with multiple partitions are not supported
by EasyLock and Trusted Devices Level 1.

7.1.2. EasyLock Settings

This sections allow the Administrator to remotely manage EasyLock encrypted
devices. Before being able to take advantage of these features, the Administrator
must configure a Master Password.

In the Settings section, the Master Password can be configured, EasyLock File
Tracing enabled, as well as defining the installation and execution of EasyLock
only on computers where the Endpoint Protector Client is present.

Endpoint Protector 4 allows tracing of files copied and encrypted on portable

devices using EasyLock. This option can be activated from inside the Settings
windows located under the EasyLock Enforced Encryption tab.

By checking the File Tracing option, all data transferred to and from devices
using EasyLock is recorded and logged for later auditing. The logged information
is automatically sent to the Endpoint Protector Server if Endpoint Protector Client
is present on that computer. This action takes place regardless of the File Tracing
option being enabled or not for that specific computer through the Device Control
module.

In case that Endpoint Protector Client is not present, the information is stored
locally in an encrypted format on the device and it will be sent at a later time
from any other computer with Endpoint Protector Client installed.

The additional “Offline File Tracing” option is an extension to the first option,
offering the possibility to store information directly on the device, before being
77 | Endpoint Protector | User Manual

sent to the Endpoint Protector Server. The list of copied files is sent only next
time the device is plugged in and only if Endpoint Protector Client is present and
communicates with the Endpoint Protector Server.

Additionally, Easy Lock performs File Shadowing for the files that are transferred,
if Endpoint Protector Client is present and the File Shadowing option is enabled
on the computer on which the events occur – through the Device Control
module. This is a real time event and no shadowing information is stored on the
device at any given time.

Note
Enabling global File Tracing will not automatically activate the File Tracing
option on EasyLock Trusted Devices and vice versa.

7.1.3. EasyLock Clients

In the Clients list section, all EasyLock enforced devices are listed. By selecting
the Manage Client Action a list of Actions History is displayed, as well as the
option to manage them by sending a message, changing user’s password,
resetting the device, resending the master password and more.
78 | Endpoint Protector | User Manual

8. Mobile Device
Management

In the last past years, mobile devices have invaded business environments.
Personally owned or company owned smartphones and tablets are used on a
daily basis by employees to store and have access to their company e-mails,
sales reports etc. everywhere they go.

The wide adoption of the BYOD (Bring-Your-Own-Device) model by companies

worldwide led to the use of more personal mobile devices by employees for
storing business information together with private data such as photos and
music. This trend raised new issues for IT administrators, which are faced now
with the challenge of protecting sensitive company data not only inside the
secured company network, but also everywhere it is taken on mobile company
endpoints. At the same time, a separation and close monitoring of company
information from personal data must be imposed.

To face the security challenges by the increase mobility in business

environments, Mobile Device Management by Endpoint Protector enables a
complete control and detailed monitoring over the use of mobile devices both
inside and outside corporate environments, allowing employees to have a secure
access to both corporate and private data wherever they are and on whatever
device they are using without business critical information getting compromised.

Information
Endpoint Protector is a complete Data Loss Prevention and Enterprise
Mobility Management solution. While the DLP related features and
functionality are explained in this user manual, please reference the MDM
User Manual for information related to smartphones and tablets. Additional
information regarding deployment of the Endpoint Protector Server can be
found in the Virtual and Hardware Appliance User Manual.
.
79 | Endpoint Protector | User Manual

9. Offline Temporary
Password

This section allows the Administrator or the Offline Temporary Access

Administrator to generate a password and grant temporary access to:

 the entire Computer

 a specific Device on a Computer

 the Content Aware Protection feature on a computer

It can be used when there is no network connection between the Computer and
the Endpoint Protector Server.

Note
Once an Offline Temporary Password has been authorized, any other rights
and settings saved afterwards on the Endpoint Protector Server will not
take immediate effect on that Computer. The Offline Temporary Password
time period has to expire and the connection with the Server re-
established.

A password is linked to a time period and is unique for a certain device and
computer. This means the same password cannot be used for a different device
or computer. It can also not be used twice.

The password will give permission to the device, computer or sensitive data
transfer for the specified amount of time. The time intervals which can be
selected are: 30 minutes, 1 hour, 2 hours, 4 hours, 8 hours, 1 day, 2 days, 5
days, 14 days and 30 days.
80 | Endpoint Protector | User Manual

The Administrator also has the option to add a justification, mentioning the
reason why the password was created. This can later be used for a better
overview or various audit purposes.

9.1. Generating the Offline Temporary Password

Depending on the options selected from the drop-down menus, the Offline
Temporary Password (or OTP) can be generated for the exact device or computer
needed.

When generating an OTP for a Device, the administrator can either introduce the
device code communicated by the user or search the Endpoint Protector
database for an existing device, using the wizard .

For additional verification, the administrator can check the authenticity of a given
device code by using the “Refresh Device Codes” option . This will only work if
it was previously listed in the Device Control > Devices list.

Another way to generate a password is by right clicking on a managed computer

or device (from the Device Control tab) and select the “Offline Temporary
Password” action.

Once the OTP code has been generated, it will be displayed as below, and it
needs to be provided to the user that made the request. Endpoint Protector
offers two quick ways of doing this, either by sending a direct email or by
printing it out.
81 | Endpoint Protector | User Manual

9.2. Using the Offline Temporary Password

In order to select a device and enter a password, the user needs to click on the
Endpoint Protector icon from the system tray.

The user will select the device from the list and contact the administrator at the
displayed contact information. The administrator will generate the OTP based on
the device code (see above paragraph).

Once the code has been generated and is in the user’s possession, the password
will be inserted in the correspondent field and applied by clicking “Enter”.

For Content Aware Protection or full Computer authorization, the administrator

just simply needs to provide the user with password previously generated.

Note
The Administrator contact information can be edited under System
Configuration > System Settings, in the Main Administrator Contact Details
section.
82 | Endpoint Protector | User Manual

10. Reports and Analysis

This section is designed to offer the administrator feedback regarding system

functionality, logs and information related to devices, users and computers in the
entire system.

All tabs described below will have a filter option at the beginning of each table.
This will add or remove columns based on the content considered relevant.
83 | Endpoint Protector | User Manual

10.1. Logs Report

This section allows the administrator to see exactly what actions took place and
at what time. The information provided contains the computer name, user and
device used and also the action taken and the files accessed.

The granular filter available is designed to make finding information quick and
easy.

The administrator has the possibility of exporting either the search results or the
entire log report as a .CSV file, which can later be printed out for detailed
analysis.

As an additional data security measure, this module may be protected by an

additional password set by the Super Administrator.

The additional security password can be set from the System Configuration
module, under the System Security tab and it applies to all the Reports and
Analysis sections.
84 | Endpoint Protector | User Manual

10.2. File Tracing

This section displays information about traced files that have been transferred
from a protected computer to a portable device or to another computer on the
network, and vice versa. It also displays the original location of the transferred
files, as a Detect Source Copy feature is activated by default.

Similar to the Logs Reports section, you may need to enter an additional
password set by the administrator in order to be able to access the list of files.

A special mention is given here to the “File Hash” column. The Endpoint Protector
application computes an MD5 hash for most of the files on which the File Tracing
feature applies to. This way, mitigating threats coming from the changing the file
content is ensured.
85 | Endpoint Protector | User Manual

10.3. File Shadowing

This section displays information about shadowed files that have been
transferred from a protected computer to a portable device. The list of files may
be protected by an additional password set by the administrator. In this case,
you will be prompted to insert the additional password when entering this
section.

Additionally, the shadowed files can be saved locally on the Server by the
Endpoint Protector administrator.
86 | Endpoint Protector | User Manual

10.4. Content Aware Report

This module provides detailed logs of all Content Aware activity. It allows the
administrator to see exactly what data incidents were detected corresponding to
the Content Aware Policies applied and at what time. This information also
contains the computer name, user and transfer destination type, the action taken
and the file inspected. The included granular filter is designed to make finding
information quick and easy.

The administrator has the possibility of exporting both the search results and the
entire log report as a .CSV file, which can later be printed out for detailed
auditing.

As an additional data security measure, this module may be protected by an

additional password set by the Super Administrator. For more details, please see
section 8.1. Logs Report.
87 | Endpoint Protector | User Manual

10.5. Content Aware File Shadowing

Displays the list of file shadows and files that have been detected by a Content
Aware policy. The list of files may be protected by the additional password set by
the administrator for all the Reports and Analysis sections. In this case, you will
be prompted to insert the additional password when entering this section.
88 | Endpoint Protector | User Manual

10.6. Admin Actions

Every important action performed by administrators in the interface is recorded.
Clicking the “view details” button will open the “Admin Actions Details” page
where further details about the specific event is shown, with the status of the
modified feature before and after the change took place.

The logs can be exported in a .csv file, while the filter can help find the desired
information quickly and easily.
89 | Endpoint Protector | User Manual

10.7. Online Computers

Offers real time* monitoring of the client computers registered on the system
which have an established connection with the server.

*depends on the Refresh Interval; if the Refresh Interval for computer X is 1

minute, than the computer X was communicating with the server in the last 1
minute.

The administrator has the possibility of accessing the log for a certain computer
by pressing the “View Logs” action button.

Pressing this button will take you to the logs report where it will only display the
actions of that specific computer for which the button was pushed.

10.8. Online Users

Shows a list of users that are connected to the Endpoint Protector Server in real
time.
90 | Endpoint Protector | User Manual

10.9. Online Devices

Offers information regarding the devices connected to the computers on the
system.
91 | Endpoint Protector | User Manual

The administrator can see which devices are connected to what computers and
also the client user who is accessing them. The administrator can also use the
action buttons “View Logs” and “Manage Rights” to quickly administer the device.

10.10. Statistics
The Statistics module will allow you to view system activity regarding data traffic
and device connections. The integrated filter makes generating reports easy and
fast. Simply select the field of interest and click the “Apply filter” button.
92 | Endpoint Protector | User Manual

11. Alerts

Endpoint Protector allows you to set notifications (Alerts) for Sensitive Content
Transfers, Devices, Computers, Groups and Users making monitoring them
easier. An Alert will trigger an E-MAIL that will be sent to the selected
administrator(s) that are intended to receive the alerts. You can set up device
related activity alerts in the System Alerts-> Define System Alerts module in
Endpoint Protector. The Define Content Aware Alerts option will allow
administrators to set special alerts for sensitive content detection and transfer
blocking.

Before you can create an E-MAIL alert, you must configure the server host and
provide a user name and password to that mail server. You can do that by
accessing “System Settings” in the “System Configuration” module.

You can also verify if your settings are correct by checking the box next to “Send
test E-MAIL to my account”.

You also have to configure the E-MAIL of your current user with which you are
accessing Endpoint Protector; by default, “root”. To do this, go to “System
Configuration” > “System Administrators”.
93 | Endpoint Protector | User Manual

The actions available here are Edit, Edit Info and Delete.

Select the option “Edit info” for the desired user and complete the required fields.
After you are done, click “Save”.

Now you are set up to receive E-MAIL alerts.

94 | Endpoint Protector | User Manual

11.1. System Alerts

To create a new system alert, go to “Define System Alerts” and click “Create”.

There are several types of alerts available as shown below:

95 | Endpoint Protector | User Manual

APNS certificate – APNS certificates expire and have to be renewed on a

regular basis. These alerts eliminates the risks of having to re-enroll all the
mobile devices by sending an e-mail reminder 60, 30 or 10 days prior.

Updates and Support – To ensure the Endpoint Protector Appliance is up to

date, a reminder can be sent regarding each module maintenance status (Device
Control, Content Aware Protection and Mobile Device Management).

Endpoint Licenses – As each network is constantly growing, to eliminate the

risks of having unprotected endpoints, an alert can be generated. It can be
defined if the percentage of already used Endpoint Licenses reaches 70%, 80%
or 90%.

Client Uninstall – For a better management of a large network, an alert can be

sent each time an Endpoint Protector Client is uninstalled. This is particularly
helpful when there are several assigned Administrators.

Server Disk Space – Ensuring Server Disk Space remains available for logs to
be stored and policies are properly applied, and alert can be setup when disk
space reaches 70%, 80% or 90%.

Device Control – Logs Amount – An alert can be sent each time the Number
of Device Control Logs Stored reaches a specific amount. The option to choose
either from an interval between 10,000 rows or 10,000,000 rows or define a
desired value are available.

Content Aware – Logs Amount – An alert can be sent each time the Number
of Content Aware Logs Stored reaches a specific amount. The option to choose
either from an interval between 10,000 rows or 10,000,000 rows or define a
desired value are available.

Note!

Both the APNS Certificate and Update and Support system alerts can be disabled
from General Dashboard -> System Status

11.1.1. System Alerts History

A history of the system alerts is kept in this tab for later auditing. Each event
that triggers a system alert will be saved here. Administrators can search for
data more easily with the implemented filter, while if not needed anymore the
logs can be deleted by pressing the “Delete History” button.
96 | Endpoint Protector | User Manual

11.2. Device Control Alerts

To create a new alert, go to “Define Alerts” and click “Create”.

97 | Endpoint Protector | User Manual

Then select the Group, User, Computer, Device type or Device - depending if you
mean a single device or all devices of a certain type - and the event that will
trigger the notification. The filters shown above designed to make finding
information quick and easy.

You can also select one or more administrators to receive the same
notification(s). This is useful in case there is more than one administrator for
Endpoint Protector.

Example: if you want to be notified when a certain device is connected to a

certain computer you must set up an alert choosing the specific device and
computer that you wish to be notified of and selecting the “Connected” event
from the events list.

In this case, the “Client” and “Group” fields do not influence the triggering of the
alert so there is no need to fill them out. Setting up a value for the “Group” field
means that the alert will be triggered when the selected event occurs for any
clients or computers in that group.

If you try to delete any items (Users, Groups, Computers etc.) that have been
used in setting up an alert, you will receive a notification, and you will not be
able to delete them.

11.2.1. Device Control Alerts History

A history of the alerts is kept in this tab for later auditing. Each event that
triggers an alert will be saved here. Administrators can search for data more
easily with the implemented filter, while if not needed anymore the logs can be
deleted by pressing “Delete History” the button.
98 | Endpoint Protector | User Manual

11.3. Content Aware Alerts

To create a new Content Aware Alert corresponding to the policies defined in the
Content Aware Protection module, go to Define Content Aware Alerts submenu
option and click “Create”.
99 | Endpoint Protector | User Manual

Then select the Group, Computer, User that you want to monitor, the Content
Aware Policy to be considered, and the event that will trigger the notification.
The filter is designed to make finding information quick and easy.

Example: if you want to be notified when a file containing credit card information
is attached to an E-MAIL on one of the Financial Departments computers, you
must set up an alert choosing the Financial Department as the monitored entity,
the Content Aware Policy that inspects documents for that type of information
and, finally, selecting the “Content Threat Detected” event from the events list.

Note!

Before creating the alert, you must make sure that the selected Content Aware
Policy is enabled on the chosen Computer, User, Group or Department.

11.3.1. Content Aware Alerts History

A history of the content aware alerts is kept in this tab for later auditing. Each
event that triggers a content aware alert will be saved here. Administrators can
search for data more easily with the implemented filter, while if not needed
anymore the logs can be deleted by pressing the “Delete History” button.
100 | Endpoint Protector | User Manual

11.4. Mobile Device Alerts

To create a new MDM alert go to the “Define MDM Alerts” tab and press the
“Create” button.

Alerts can be created for IOS MDM profile removal, Android application removal,
SIM card changed and carrier changed.

11.4.1. Mobile Device History

A history of the MDM alerts is kept in this tab for later auditing. Each event that
triggers an MDM alert will be saved here. Administrators can search for data
more easily with the implemented filter, while if not needed anymore the logs
can be deleted by pressing the “Delete History” button.
101 | Endpoint Protector | User Manual
102 | Endpoint Protector | User Manual

12. Directory Services

12.1. Active Directory Import

This module allows you to import Computers, Groups and Users from Active
Directory (where available).

If you have the requirements, simply click Next.

103 | Endpoint Protector | User Manual

Enter the Active Directory domain controller server name, the domain name and
a username and password in the format as in the examples presented in the
form. First, you can push the “Test Connection” button to test if the connection is
established successfully. If the connection is valid, push the “Next” button. This
operation might take some time, depending on the volume of data that needs to
be imported.

Note!
When having to import a very large number of entities from the Active Directory,
we recommend using the "Domain/Search In" filter from the AD Import page in
order to get only the relevant information displayed for import. Due to browser
limitations, importing the whole AD structure may impede the display of the
import tree if it contains a very large number of entities.
104 | Endpoint Protector | User Manual

In the next step, simply select what items you would like to import by clicking
the checkbox next to them and finally, select “Import”.

If the import procedure was successful, you will see the message “Import
completed”.
105 | Endpoint Protector | User Manual

12.2. Active Directory Sync

This module allows you to synchronize the entities in Endpoint Protector with the
entities in Active Directory (Computers, Users, and Groups).

You can either examine existing synchronizations by clicking View Sync List

or, if you have the requirements, simply click “Next” to set up your
synchronization settings.
106 | Endpoint Protector | User Manual

Enter the Active Directory domain controller server name, the domain name and
a username and password in the format as in the examples presented in the
form.

You can also check if your settings are correct by clicking the “Test Connection”
button.

You should see a message “Connection is valid” on the top of the page.

Click “Next” to continue.

Note!
This operation might take some time, depending on the volume of data that
needs to be synchronized.

In the next step, simply select what items you would like to synchronize by
clicking the checkbox next to them, define a sync interval and select “Sync”.
107 | Endpoint Protector | User Manual

You will see the message “Sync object added”.

108 | Endpoint Protector | User Manual

You can set up multiple synchronizations from multiple locations at once. These
can be viewed and canceled in the “View Sync List”.
109 | Endpoint Protector | User Manual

13. Appliance

13.1. Server Information

This view offers the administrator general information about the Server, the
Fail/Over function, the total Disk Usage and the Uptime.
110 | Endpoint Protector | User Manual

13.2. Server Maintenance

From this view the administrator can: setup a preferential time zone and NTP
synchronization server, configure his IP and DNS, perform routine operations
such as Reboot and Shutdown as well as Enable/Disable the SSH access.

13.2.1. Time Zone Settings

This menu allows the administrator to set a preferential time zone and/or sync
the appliance to a NTP source.

Pressing the button will save all the changes, but it will
not trigger the synchronization process!

Pressing the button will trigger the synchronization,

which will occur in the next 5 minutes. The Alerts and Logs will be reported after
the 5 minutes in a format of your choice.
111 | Endpoint Protector | User Manual

Pressing the button will update the display below.

Note!

The appliances come preset to sync once a week with pool.ntp.org.

13.2.2. Network Settings

Here you can change the network settings for the appliance to communicate
correctly in your network.

Attention!

After you change the IP address, close the Internet browser, then reopen a new
instance of your browser. Afterwards try to access the Endpoint Protector
Administration and Reporting Tool with the NEW IP address!

13.2.3. Reset Appliance to Factory Default

A reset to Factory will erase all settings, policies, certificates and other data on
the Appliance. If you reset to factory default, all settings and the communication
between Appliance and Endpoint Protector Clients will be interrupted.

13.2.4. SSH Server

This option will either enable or disable the access to the Appliance through the
SSH protocol. It is recommended to be set on Enable before requesting Support
access.

13.3. SIEM Integration

Third-party security information and event management (SIEM) tools allow
the logging and analysis of logs generated by network devices and software.
Integration with SIEM technology allows Endpoint Protector to transfer activity
events to a SIEM server for analysis and reporting.

Administrators can access SIEM Integration from the sub-menu at Appliance ->
SIEM Integration.
112 | Endpoint Protector | User Manual

The available actions are: Add New, Edit and Delete. A new SIEM server can
be added also by clicking on the Add your own icon. An existing server address
can be edited also by double-clicking the upper part of the policy icon.

Note!

The maximum number of SIEM hosts configured at one any given time is four (4)
The menu for each SIEM address consists of the following settings and
parameters: Server Name, Server Description, Server IP, Server Port and
Disable MySQL Logging.

Note!
113 | Endpoint Protector | User Manual

Checking the option to Disable MySQL Logging will set the system to record logs
only on the SIEM target and not inside Endpoint Protector itself. An UDP protocol
is used in order to transfer the logs from Endpoint Protector to the SIEM solution.

After all the above parameters are set to point to a valid SIEM server, the
administrator must choose from Log Types which events in particular to send to
the SIEM target.
114 | Endpoint Protector | User Manual

14. System Maintenance

14.1. File Maintenance

This module allows the administrator to retrieve/organize and clean-up files used
by Endpoint Protector Server.

The available options are:

 Temporary Log Files: allows archiving and deleting log files from a
selected client computer

 Shadow Files: allows archiving and deleting shadowed files from a

selected client computer

 Log Backup Files: allows archiving and deleting previously backed up

log files
115 | Endpoint Protector | User Manual

To archive a previously selected set of files, click the “Save as Zip” button, while
to permanently remove a set of files from the Endpoint Protector Server use the
“Delete” button.

14.2. System Snapshots

The System Snapshots module allows you to save all device control rights and
settings in the system and restore them later, if needed.

After installing the Endpoint Protector 4 Server, we strongly recommend that you
create a System Snapshot before modifying anything. In this case you can revert
back to the original settings if you configure the server incorrectly.

To create a System Snapshot, access the module from System Configuration and
click “Make Snapshot”.

Enter a name for the snapshot, and a description. Select also what you wish to
store in the snapshot, Only Rights, Only Settings, or Both.

Finally, click “Save”.

116 | Endpoint Protector | User Manual

Your snapshot will appear in the list of System Snapshots.

To restore a previously created snapshot click the “Restore” button next to the

desired snapshot. - Restore

Confirm the action by clicking the “Restore” button again in the next window.
117 | Endpoint Protector | User Manual

14.3. Log Backup

This module allows you to delete old logs from the database and save them in a
.CSV document.

Here you can select the logs you wish to back-up. Simply select an option and
click “Make Backup”.

You should see the message “Backup Completed” in the top-center of your
browser.

You can download and view the logs by selecting the “click here” link.
118 | Endpoint Protector | User Manual

14.3.1. Backup Scheduler (Automatic Log Backup)

You can back up your log files also automatically by using the Backup Scheduler
option.

Here you can schedule an automatic backup routine by setting two trigger
conditions:

Backup time interval - allows you to select a certain time interval for repeating
the backup operation

Backup size limit - allows you to select a maximum size for the logs to be backed
up

In case that you don't wish to set a specific value for one or both of these
options, please leave the specific field(s) blank. After specifying the logs to be
backed up automatically based on their creation time, please click "Save" in
order for your options to be applied.
119 | Endpoint Protector | User Manual

You can view the created backups by using the Backup List option.

14.4. Content Aware Log Backup

This module allows you to delete old content aware logs from the database and
save them in a .CSV document.

Here you can select the logs you wish to backup. Simply select an option and
click “Make Backup”.
120 | Endpoint Protector | User Manual

You should see the message “Backup Completed” in the top-center of your
browser.

You can download and view the logs by selecting the “click here” link.

14.4.1. Automatic Scheduler (Automatic CAP Log Backup)

You can back up your log files also automatically by using the Backup Scheduler
option.

Here you can schedule an automatic backup routine by setting two trigger
conditions:
121 | Endpoint Protector | User Manual

Backup time interval - allows you to select a certain time interval for repeating
the backup operation

Backup size limit - allows you to select a maximum size for the logs to be backed
up

You can view the created backups by using the Backup List option.

14.5. Audit Log Backup

Similar to the Log Backup and Content Aware Log Backup, this section allows old
logs to be saved and exported. The options to select the number of logs to be
exported, period and file size are available, as well as the option to view a
Backup List or set a Backup Scheduler.

Both the Audit Log Backup and Audit Backup Scheduler offer several options like
what type of logs to backup, how old should the included logs be, to keep or
delete them from the server, to include file shadows or not, etc.
122 | Endpoint Protector | User Manual

However, the main difference comes from the fact that the exported logs come in
an improved visual mode, making things easier to audit or to created reports for
executives.

14.5.1. Audit Log Backup Scheduler

While the Audit Log Backup starts the backup instantly, the Audit Log Backup
Scheduler provides the option to set the procedure for a specific time and the
frequency of the backup (every day, every week, every month, every year, etc.).
123 | Endpoint Protector | User Manual

14.6. External Storage

The External Storage option allows the administrator to save the Log Backup files
and Shadowed files generated by Endpoint Protector to a particular storage disk
from his network. The two mediums supported are FTP and Samba / Network
shares.

14.6.1. FTP Server

The configuration parameters which enable the backup of these files on an
existent FTP share are shown below:

Enable FTP Storage: This button must be checked for the external storage
process to run

Keep Copy on the EPP Server: This option enables the administrator to choose
whether the logs should be mirrored on both the external storage and on the
application.
124 | Endpoint Protector | User Manual

Server Address: A regular IP ie. 192.168.0.10

Remote Directory: The directory path on the FTP share where the logs will be
stored. Trailing directory separators are needed i.e /DLP/logbackup/

Server Port: By default, the FTP application port is 21.

Note!
The parameter values must be saved before the “Test Connection” option is
checked.
Inside the path provided for the storage of backups, Endpoint Protector will
create a number of files as seen below.

 Logbackup – inside it all the backups will be stored, both for Device
Control and Content Aware Protection

 Shadows – it is the folder in which the shadowed files will be stored, both
for Device Control and Content Aware Protection

 Sysbackup – inside it all the created system backups can be stored

 eppftptest.txt – it is created to test the connection between the FTP share

and the appliance.

14.6.2. Samba / Network Share

The configuration parameters which enable the backup of these files on an
existent Samba / Network Share are shown below:

Enable Network Share Storage: This button must be checked for the external
storage option to run
125 | Endpoint Protector | User Manual

Keep Copy on the EPP Server: This option enables the administrator to choose
whether the files should be mirrored on both the external storage and on the
application.

Network Share Path: A path to the shared directory i.e //192.168.0.10/epp

Remote Directory: The directory path on the Network Share where the files will
be stored. Trailing directory separators are needed i.e /epp/tmp/logs

Note!
The parameter values must be saved before the “Test Connection” option is
checked.

In the same way as presented for FTP storage, inside the path provided for the
storage of backups, Endpoint Protector will create those folders meant for
different storage of logs, shadows or system backups and the file
eppnstest.txt.System Backup

14.6.3. From the Web Interface

This module allows the administrator to make complete system backups.

From the menu at System Maintenance -> System Backup one can view in a
list the current existing backups. The administrative actions available are:
Restore, Download and Delete.
126 | Endpoint Protector | User Manual

To restore the system to an earlier state, simply click the Restore button
next to the desired backup. Confirm the action by clicking the button again in the
next window.

The Download button will prompt the administrator to save the .eppb backup file
on the local drive. It is recommended to keep a good record of where these files
are saved.

Note!

We recommend asking for Support assistance at

support@endpointprotector.com when using the Restore Backup feature.

Note!
Once deleted, a backup cannot be recovered.

The sub-menus available from System Maintenance -> System Backup are:
Make Backup, Status, Upload and Backup Scheduler.

The first options, Make Backup, opens the following menu:

The administrator is presented here with two options:

 To save the Database content. This option will make the backup file
contain all the devices, rights, logs, settings and policies present on the
EPP server at the making of the backup.

 To save the Application sources. This option will make the backup
contain files such as the EPP clients and others related to the proper
functioning of the server.
127 | Endpoint Protector | User Manual

Note!

The System Backup will not contain nor preserve the IP Address, File Shadowing
copies or the Temporary Logs Files.

The second menu, Status, returns the state of the system. If a backup creation
is in progress, it will be reported as seen below.

If the system is idle, the button will return the last known status, which by
default is set at 100% done.

The next menu, Upload, allows the administrator to populate the backup list
with .eppb files from the local filesystem. This functionality is useful in cases of
server migration or crash recovery. The view is as seen below:

Note!
Endpoint Protector Backup Files (.eppb) that are larger than 200 MB can only be
uploaded from the console of the appliance. We recommend that you contact
Support when a created .eppb file exceeds this 200 MB limit.
The final menu is the Backup Scheduler.
128 | Endpoint Protector | User Manual

From this view the administrator can schedule an automatic backup routine by
setting a trigger condition, the System Backup time interval. The routine can
be set to run daily, weekly, monthly and so forth.

The Scheduler will also prompt the administrator with the Last Automatic
System Backup reminder.

Note!

A scheduled routine is recommended in order to prevent unwanted loss.

14.6.4. From the Console

Endpoint Protector offers the option to revert the system to a previous state from
the administrative console on which the initial configuration occurs.
129 | Endpoint Protector | User Manual

The #2 menu presents the administrator with the following options:

1. System Restore – can be performed if a system backup has been

performed prior to the event, using the web interface
2. Import – can be performed if a .eppb file has been downloaded and
saved on a FTP server
3. Export –can be performed in order to save existing backups on an
existant FTP server

To either import or export the .eppb files, an administrator will need to provide
the system a valid FTP IP address and the path inside its filesystem to the .eppb
file.

An example is shown below:

130 | Endpoint Protector | User Manual

15. System Configuration

This module also contains advanced settings, which influence the functionality
and stability of the system.

15.1. Client Software

In this section, the administrator can download and install the Endpoint Protector
Client corresponding to the used operating system. Please note that our Server
and Client are communicating through port 443.

Note!
The Windows 32-bit and 64-bit client installers both offer the option to download
the package with or without a Microsoft Outlook add-on. This option fixes any
incompatibility that may arise between Microsoft Outlook and Endpoint Protector.
131 | Endpoint Protector | User Manual

15.2. Client Software Upgrade

This section allows selecting and performing an automatic update of the installed
Endpoint Protector Client version. Starting with Windows Client Version 4.2.3.0 a
restart PC is mandatory in case of Client Software Upgrade is performed from
Web UI.

The button under the Actions column allows setting the default Endpoint
Protector Client version that will be available for download under the Client
Software section.

Note!

Downgrading from a currently installed Endpoint Protector Client version to an

older one cannot be performed automatically.
132 | Endpoint Protector | User Manual

15.3. Client Uninstall

The EPP Clients installed on the computers can be remotely uninstalled from this
tab. The computers will receive the uninstall command at the same time they
receive the next set of commands from the server. If the computer is offline it
will receive the uninstall command the first time it will come online. When the
uninstall button is pressed the computer(s) will be greyed out until the action will
be performed. The uninstall command can be cancelled if it was not already
executed.

Note!
The uninstall command works for Windows client version 4.2.8.1 or newer.
133 | Endpoint Protector | User Manual

15.4. System Administrators

This section allows the creation of new administrators. Once administrators are
created, a lists containing all the administrators will be displayed. Options to
editing details and settings or delete unwanted administrators are also available.
One of the most important distinction is that the administrators can be: regular
administrators, which have some limitations and super administrators which
have full access to the system, including advanced features.

While creating an Administrator, there are several Administrator Details and

Administrator Settings can be configured. Among them, whether e-mail alerts
are received, managed departments, IP login restrictions and Default UI
Language can be mentioned. All of these settings can be changed at a later time.
134 | Endpoint Protector | User Manual

15.5. System Departments

This module allows creating System Departments. The available options are Edit
and Delete.

The main reason for using this feature is to target Large Installation where one
Super Administrator cannot handle the Endpoint Protector Server configuration
and maintenance. Even further, one Regular administrator should only be
responsible for his entities.
135 | Endpoint Protector | User Manual

A new department can be defined by using the “Create” button.

Even if the term Department is simple, if we want to make a similarity between

Endpoint Protector and Active Directory (or any other Director Service software)
the equivalent of this term is Organization Unit. Of course Organization Unit is
not identical with Department, and again Endpoint Protector leaves the power to
the actual Super Administrator to virtually link one or more Organization Units to
an Endpoint Protector Department. For more details, please see paragraph “10.1.
AD Deployment”.

Several aspects regarding departments are detailed below:

1. Each main entity must belong to a department, except with the scenario when
the super administrator deletes the Default Department. At computer
registration, the Department Code is provided. If a department having the given
code is found, then the computer will register and it will belong to that
136 | Endpoint Protector | User Manual

department. All the main entities information received from a computer in

department X will also belong to department X.

Example: Computer Test-PC is registered to department “developers”. In this

case, user Test logged on that computer will be assigned to the same
department together with the devices connected on the computer Test-PC.

Note!
In case that, at registration, no department code is provided or a wrong
department code is provided, the department code is considered invalid and that
computer will be assigned to the default department (defdep).

2. Super Administrators (example root) will still have access to all the main
entities regardless of their departments and will be able to change departments.
When logged on as Super Administrator, the text “Show all departments” will be
displayed on the right top part of the main content layout of the Web interface.

3. As only the Super Administrator has the possibility to create regular users, he
is also responsible for assigning regular administrators to handle one or more
departments. Regular Administrator will see and manage in the Web interface
only the main entities belonging to the assigned departments.

4. From a security stand point of view:

A Regular Administrator should only see his department’s entities and nothing
more.

A Regular Administrator should only control his department’s entities and nothing
more.

IMPORTANT!

If you do not want to have any departments based organization within the
Endpoint Protector deployment, please make sure that you always assign the
default Department to all new created Regular Administrators within the Endpoint
Protector Web Interface.
137 | Endpoint Protector | User Manual

15.6. System Security / Client Uninstall Protection

The Client Uninstall Protection feature protects the Endpoint Protector Client from
being uninstalled by using a password-based mechanism. The Administrator of
the system defines this password from within the Reporting and Administration
Tool of Endpoint Protector 4. When somebody tries to uninstall the Endpoint
Protector Client, they will be prompted for the password. If they do not know the
password, the Client removal cannot continue.

This password can be set by accessing “System Configuration” – “System

Security”, entering a password in the “Password” field and clicking on “Save”.

The second option, “Data Security Privileges”, allows you to restrict Sensitive
Data sections access only to Super Administrators. If this option is selected, then
only super administrators are able to view the “Reports and Analysis” section. If
this option is not selected, then super administrators and also administrators are
able to view the “Reports and Analysis” section.

15.7. System Security

This module enables the administrator to set a number of security policies such
as: set a client uninstall password, restrict the access to sensitive information to
super administrators and set a password protection on that sensitive data.
138 | Endpoint Protector | User Manual

15.8. System Settings

15.8.1. Rights Functionality

In the System Settings section, you can modify Endpoint Protector 4 Server
Rights functionalities by giving priority to either User Rights or Computer Rights.

Scroll down to the Setting up policies chapter of this document for more
information on the subject.

15.8.2. Rights Functionality

In the System Settings section, you can modify Endpoint Protector 4 Server
Rights functionalities by giving priority to either User Rights or Computer Rights.

Scroll down to the Setting up policies chapter of this document for more
information on the subject.

15.8.3. Active Directory Authentication

This section allows an AD group of administrators to be imported into Endpoint
Protector as Super Administrators. If the Enable Active Directory Authentication
is checked, these administrators can use their AD credentials to login to Endpoint
Protector.
139 | Endpoint Protector | User Manual

The settings needed are the same as for the Directory Services section and
additional information can be found in the related paragraph.

The only additional information that has to be defined is the Active Directory
Administrators Group. Only users that are part of this AD group will be synced
and imported as Super Administrators for Endpoint Protector. Any additional
users needed can be created manually from the System Administrators section.

15.8.4. Proxy Settings

Endpoint Protector offers configuration options for a proxy, as seen below:

The necessary configuration details are:

 IP – the Proxy Server IP

 Username/Password – Proxy access credentials (not mandatory)

Note!

If these details are not filled in, Endpoint Protector will connect directly to
liveupdate.endpointprotector.com. Data sent to this server is not security
sensitive, being limited only to your version/language.
140 | Endpoint Protector | User Manual

15.9. System Licensing

This section allows the administrator to manage the licensing of Endpoint
Protector and offers a complete overview of the current licenses status.

The Endpoint Protector licensing system comprises three types of licenses:

Endpoint licenses for Mobile and Fixed endpoints, Feature licenses and Updates &
Support licenses.

Endpoint licenses are used for registering the Endpoint Protector Client,
enabling the communication with the Endpoint Protector Server. They are
available as either 30 days Trial licenses or perpetual (permanent) licenses. Once
registered with a valid Endpoint license, the Endpoint Protector Client remains
active for an unlimited period of time regardless of the status of the other license
types.

Feature licenses are used for activating one of the three Endpoint Protector
modules: Device Control, Content Aware Protection, respectively Mobile Device
Management. Each of these modules can be used in Trial Mode for a period of up
to 30 days. Then, a perpetual (permanent) license is required to be purchased
and imported for the feature to remain active. Although the Device Control
module appears by default as active in the Web Administration Interface, a
license is required to enable the communication between Server and Client. The
Content Aware Protection and Mobile Device Management features are displayed
as blocked by default and require an additional Activation request to be
141 | Endpoint Protector | User Manual

performed by the administrator. The Features Status section offers an overview

of the current features licensing status.

Updates & Support licenses are optional licenses that once purchased and
imported into the system allow access to the latest Updates available for both
Client and Server side and enable premium Support and Technical Assistance.
The Updates and Support licenses can be purchased for a period varying from 1
month up to 36 months, with a separate option for 120 months. As opposed to
Endpoint and Feature licenses, Updates & Support licenses are not permanent
and they require periodic renewal for being able to get access to our Live Update
Server.

Note!

When first activating one or more features, an Updates & Support license for a
period of minimum 1 year is required. After the Updates & Support license
expires, the feature remains active and purchasing additional Updates & Support
licenses becomes optional.

For example, if you wish to license Endpoint Protector for 100 workstations and
use the Content Aware Protection module for 1 year, you will require:

 100 Endpoint licenses

 1 Content Aware Protection license, which includes an Updates & Support

license for Device Control and Content Aware Protection valid for 1 year.
After the validity period expires, the feature remains active, while any
updates and support services are not available anymore.

If you wish to manage also a fleet of 10 devices for 6 months, you will
additionally require:

 10 Mobile Endpoint licenses

 1 Mobile Device Management license, which includes an Updates &

Support license for Mobile Device Management for 6 months

Note!
As opposed to Device Control and Content Aware Protection, a valid Updates &
Support license for Mobile Device Management is required for the feature to
remain active as the Mobile Device Management service requires a working
connection to our Cloud.
All license types can be purchased directly by using the “Buy Licenses” option.
142 | Endpoint Protector | User Manual

A separate free licensing option, called Appetizer Mode, is available for small
networks of up to 5 computers and / or 5 iOS and Android devices. Appetizer
licenses enable access to each of the three Endpoint Protector modules for a
period of 1 year.

15.9.1. Appetizer Mode

The Appetizer Mode can be activated by pushing the “Start Appetizer” button,
which will automatically assign 1 year Device Control and Content Aware
Protection licenses for up 5 computers. Additionally, it will enable a 1 year
subscription for Mobile Device Management by Endpoint Protector for up to 5 iOS
and Android smartphones and tablets.

The Appetizer license is a limited license valid for 1 year with automatic renewal,
which includes also 1 year of updates with automatic renewal. The following
limitations apply:

 No Support Included!

 Device Control: no limitations

 Content Aware Protection: The options for E-mail, Web Browsers and
Cloud Services/File Sharing, Clipboard Monitor and Print Screen Monitor
are disabled. Mac OS X compatibility is also disabled.

 Mobile Device Management: mobile device tracking is disabled.

Note!
License terms may change without prior notice.

Several Requirements are necessary for using Appetizer Licenses:

 Licensee has to be small business or registered professional (e.g. a

company such as a Ltd. or a registered professional such as a law firm or
architectural association).

 Valid company e-mail address

 Online activation of virtual appliance after setup in your network

 Online self-enrollment of MDM services (e.g. for Apple Push Notification

Certificate)
143 | Endpoint Protector | User Manual

15.9.2. Trial Mode

The trial period can be activated by pushing the “Start Free Trial” button, which
will automatically assign 30 days trial licenses for up to 50 computers.

The trial licenses are assigned on a “first-in-first-served” basis. In case that one
or more computers with assigned trial licenses are inactive for a certain interval
of time, the administrator can manually release those licenses, which will
automatically be reassigned to other online computers.

15.9.3. Import Licenses

The Import Licenses option gives you the possibility to browse for an Excel file
that contains licenses. After you have selected the file, click Upload.

Attention!
The Excel document has to be formatted in a specific way. Only the first column
in the excel sheet is taken into consideration and the first line in the excel sheet
is ignored.
144 | Endpoint Protector | User Manual

Licenses can be imported also by using the “Paste Licenses” option, which allows
to manually copy&paste licenses into the system. This option is recommended for
online purchases, when licenses are delivered directly in your e-mail.

The List Licenses button displays the list of imported license keys, including the
computers to which they were asisgned and the validity period.
145 | Endpoint Protector | User Manual

16. System Parameters

This module of Endpoint Protector is designed for super administrators. The

advanced settings available here determine the functionality of the entire
system. Introducing wrong or new values can limit the functionality and
performance of the entire system.

16.1. Device Types

Here is a list of all device types currently supported through Device Control by
Endpoint Protector, along with a short description for all of the items.
146 | Endpoint Protector | User Manual

Here is a list of all device types currently supported through Content Aware
Protections’ option for Controlled Storage Device Types, along with a short
description for all of the items.
147 | Endpoint Protector | User Manual

16.2. Rights
This list contains the access rights which can be assigned on the system for
devices at any time.

16.2.1. Trusted Devices

Protecting Data in Transit is essential to ensure no third party has access to data
in case a device is lost or stolen. The Enforced Encryption solution gives
administrators the possibility to protect confidential data on portable devices in
case of loss or theft.

Ensuring only encrypted devices can be used on computers where Endpoint

Protector is present can be done by utilizing Trusted Devices. Trusted Devices
must receive authorization from the Endpoint Protector Server, otherwise they
will be unusable. There are four levels of security for Trusted Devices:

 Level 1 - Minimum security for office and personal use with a focus on
software based encryption for data security. Any USB Flash Drive and
most other portable storage devices can be turned into a Trusted Device
Level 1. It does not require any specific hardware but it does need an
encryption solution such as EasyLock
http://www.endpointprotector.com/en/index.php/products/easylock
148 | Endpoint Protector | User Manual

 Level 2 - Medium security level with biometric data protection or

advanced software based data encryption. It requires special hardware
that includes security software and has been tested for Trusted Device
Level 2.

 Level 3 - High security level with strong hardware based encryption that
is mandatory for regulatory compliance such as SOX, HIPAA, GBLA, PIPED,
Basel II, DPA, or PCI 95/46/EC. It requires special hardware that includes
advanced security software and hardware based encryption that has been
tested for Trusted Device Level 3.

 Level 4 - Maximum security for military and government use. Level 4

Trusted Devices include strong hardware based encryption for data
protection and are independently certified (e.g. FIPS 140). These devices
have successfully undergone rigorous testing for software and hardware. It
requires special hardware that is available primarily through security
focused resellers.

 Level 1+ - Derived from Level 1, it will ensure that EasyLock 2 with

Master Password will be automatically deployed on USB storage devices
plugged into computers where the Endpoint Protector Client is present.

The table below provides a list of TrustedDevices:

Device Names TrustedDevices Level

UT169, UT176 2

Trek ThumbDrive 2

AT1177 2

Verbatim: V-Secure, Secure Data USB 3

Drive

Kanguru: Defender Elite, Elite 30, Elite 3

200, Defender Elite 2000, Flashtrust

IronKey Secure Drive 3

Buffalo Secure Lock 3

Stealth MXP Bio 4

SafeStick BE 4
149 | Endpoint Protector | User Manual

16.3. Events
This list contains the events which will be logged for further reference.

Note!
Changing this list without CoSoSys’ acknowledgement can limit system
functionality and performance; however, such customizations/implementations
can be performed by request by one of our specialists as part of our Professional
Services offered to customers.
150 | Endpoint Protector | User Manual

16.4. File Types

This list contains common file type extensions and a description for each of them
making them easier to recognize when creating audits.
151 | Endpoint Protector | User Manual

17. Setting up Policies

Most companies like to limit their employee’s access to data, especially if it is

confidential. Through Endpoint Protector you can enforce your security policies
and keep confidential data away from the hands of curious employees. You can
start setting your policies in the Rights section of Endpoint Protector. There are
four sections here that need to be mentioned.

Device Rights, Computer Rights, Group Rights and Global Rights. You can find
descriptions of these items in the previous paragraphs. Before configuring
computers and devices, there are certain aspects of Endpoint Protector you
should be aware of.

Computer Rights, Group Rights and Global Rights form a single unit and they
inherit each-others settings, meaning that changes to any one of these modules
affect the other ones. There are three levels of hierarchy: Global Rights, Group
Rights and Computer Rights, the latter being the deciding factor in rights
management.

The Device Rights module surpasses all settings from Computer Rights, Group
Rights and Global Rights. If you give permission to a device to be available to
clients, it will be usable under any circumstances.
152 | Endpoint Protector | User Manual

DEVICE
RIGHTS

GLOBAL
RIGHTS

GROUP
RIGHTS

COMPUTER
RIGHTS

CLIENT
COMPUTER

For example: in Global Rights, assign Allow for device X. If in Computer Rights,
the same device does not have permission to be used; the device will not be
usable. Same applies vice-versa: if the device lacks permission to be used in
Global Rights, and has permission under Computer Rights, the device will be
usable to the client. The same applies for Global Rights and Group Rights: if
under Global Rights the device does not have permission to be used, and under
Group Rights permission exists, the device will be available to the client.

DEVICE 1 DEVICE 2 DEVICE 3 DEVICE 4 DEVICE 5 DEVICE 6

GLOBAL NOT NOT NOT
ALLOWED ALLOWED ALLOWED
RIGHTS ALLOWED ALLOWED ALLOWED

GROUP NOT NOT NOT

ALLOWED ALLOWED ALLOWED
RIGHTS ALLOWED ALLOWED ALLOWED

COMPUTER ALLOWED NOT NOT

ALLOWED ALLOWED
NOT
RIGHTS ALLOWED ALLOWED ALLOWED

CLIENT ALLOWED
NOT NOT
ALLOWED ALLOWED
NOT
COMPUTER ALLOWED ALLOWED ALLOWED
153 | Endpoint Protector | User Manual

18. Modes for Users,

Computers and Groups

Endpoint Protector features several functionality modes for users, computers and
groups. These modes are accessible for each item (users, computers, groups)
from the System Policies module of Endpoint Protector using the “Edit” button.

You can change these at any given time.

There are six modes from which you can choose:

 Normal Mode (default setting of Endpoint Protector)

 Transparent Mode

 Stealth Mode

 Panic Mode

 Hidden Icon Mode

 Silent Mode
154 | Endpoint Protector | User Manual

18.1. Transparent Mode

This mode is used if you want to block all devices but you don’t want the user to
see and know anything about EPP activity.

 no system tray icon is displayed

 no system tray notifications are shown

 everything is blocked regardless if authorized or not

 Administrator receives alerts (dashboard also shows alerts) for all

activities

18.2. Stealth Mode

Similar to Transparent mode, Stealth mode allows the administrator to monitor
all of the users and computers activities and actions with all devices allowed.

 no system tray icon is displayed

 no system tray notifications are shown

 everything is allowed (nothing is blocked regardless of what activity)

 file shadowing and file tracing are enabled to see and monitor all user
activity

 Administrator receives alerts (dashboard shows also alerts) for all

activities

18.3. Panic Mode

Under special circumstances, Panic Mode can be set manually by the
administrator in order to block all access to devices.

 system tray icon is displayed

 notifications are displayed

 everything is blocked regardless if authorized or not

 Administrator receives alert (dashboard also shows alerts) when PCs are
going in and out of Panic mode
155 | Endpoint Protector | User Manual

18.4. Hidden Icon Mode

The Hidden Icon Mode is similar to the Normal mode, the difference consisting in
the fact that the Agent is not visible to the user.

 no system tray icon is displayed

 no system tray notifications are shown

 all set rights and settings are applied

18.5. Silent Mode

The Silent Mode is similar to the Normal mode, the difference consisting in the
fact that the notifications do not pup-up to the user.

 system tray icon is displayed

 no system tray notifications are shown

 all set rights and settings are applied

18.6. Adding System Administrator(s)

You can add an unlimited number of system administrators, depending on the
size and manageability of your network.

While fewer administrators are recommended for easier data loss prevention, it is
easier to manage a large network with more.

To add an administrator or Super Administrator in Endpoint Protector, you must

Here you can see a list of current Administrator and Super Administrators.
156 | Endpoint Protector | User Manual

To add another Administrator or Super Administrator, click the “Create” button.

Enter the desired user name and password for the new account, then set if the
account is active or not or whether is a super admin or not.
157 | Endpoint Protector | User Manual

Is active – if this option is not enabled the selected user cannot log in to the
Endpoint Protector console. Use this option in case you want to create temporary
admin or super admin privileges to a certain user and then remove them or if
you want to disable an administrator but do not want to delete his credentials
from the server.

Is Super Admin – Super Administrators have more rights than administrators.

Super Administrator can create, delete and modify administrator and super
administrator settings, while standard administrators do not have this right. The
most important difference is that only super administrators are able to view the
"Reports and Analysis" section if the option "Data Security Privileges" is selected.

18.7. Working with Logs and Reports

Endpoint Protector creates a device activity log in which it records actions from
all clients and devices connected along with all administrative actions such as
device authorizations, giving a history for devices, PCs and users for future
audits and detailed analysis.

Logs Report - The most powerful and detailed representation of activity

recording can be achieved using this module. This allows the administrator to see
exactly which device, computer a user used on a specific time interval, and
whether the shadowing for that user/device is enabled or not. There is a special
filter designed to make it easier to find this information.

Online Users – Online users are end users who have logged on to a client
computer.

Online Computers – Online Computers are client computers which have been
set up to communicate with the Endpoint Protector server by installing the
Endpoint Protector Client. Here you can see a list of computers which are
currently powered on and you can view the actions they have taken.

Online Devices – Connected Devices are devices which are currently plugged-in
to one of the (online) client computers. Here again you have the possibility to
view an activity log, this time, of the device.

Statistics – The statistics module can generate reports on registered computers,

devices and users based on traffic, connections or overall activity. You can set a
period for this report (last week, month or year).
158 | Endpoint Protector | User Manual

19. Endpoint Protector Client

The Endpoint Protector Client is the application which once installed on the client
Computers (PC’s), communicates with the Endpoint Protector Server and blocks
or allows devices to function, as well as sends out notifications in case of
unauthorized access.

19.1. Endpoint Protector Client Installation

To install the Endpoint Protector Client on your client computers, you can
download it directly from the Endpoint Protector Server Web interface, under the
System Configuration -> Client Software tab.

Note!
You need to “Save” the Endpoint Protector Client first on a location and then
install it from there. Do not run it directly from the browser!
159 | Endpoint Protector | User Manual

Before downloading the Endpoint Protector Client, please make sure that you
specify the IP of your Endpoint Protector Server and the unique code of the
Department in which you want to include it. In case that no unique code is
entered, the client will be assigned to the Default Department.

Active Directory can be used for Endpoint Protector Client deployment as well.
This feature can be used by accessing the Endpoint Protector Directory
Services menu. The manual containing the instructions for importing and
synchronizing Active Directory with Endpoint Protector can be accessed from the
Support Menu, at AD Deployment Guide.

Note!
For Linux clients, please consult the readmeLinux.txt file available under the
“Read this before installing” link for exact installation instructions corresponding
to the previously selected Linux distribution!

19.2. Endpoint Protector Client Security

The Endpoint Protector Client has a built in security system which makes
stopping the service nearly impossible.
160 | Endpoint Protector | User Manual

This mechanism has been implemented to prevent the circumvention of security

measures enforced by then network administrator.

19.3. Client Notifications (Notifier)

The Endpoint Protector Client, depending in the mode it is currently running on,
will display a notification from the taskbar icon when an unauthorized device is
connected to the PC. Not only does it log any attempts to forcefully access the
system, it can also trigger the Panic mode.

In case of a Mac, the notification will look like bellow:

19.4. Client Policy Update

The Client has a built in feature to ensure the latest policies are received. The
“Update Policies Now“ is available by right clicking on the Endpoint Protector
system tray icon, as shown below:
161 | Endpoint Protector | User Manual

19.5. Offline Functionality for Endpoint Protector

Client
Depending on the global settings the Endpoint Protector Client will store a local
file tracing history and a local file shadow history that will be submitted and
synchronized with the Endpoint Protector Server upon next connection to the
network.

19.6. DHCP / Manual IP address

Endpoint Protector Client automatically recognizes changes in the network’s
configuration and updates settings accordingly, meaning that you can keep your
laptop protected at the office (DHCP) and at home(Manual IP address) too
without having to reinstall the client or modify any changes.

19.7. Client Removal

19.7.1. Client Removal on Windows OS

The Endpoint Protector Client cannot be uninstalled without specifying the
password set by the administrator(s) in the Reporting and Administration Tool.

There is also the option to remotely uninstall clients from the

19.7.2. Client removal on MAC OS X

To remove the Endpoint Protector Client you need to run (double click in Finder)
the "remove-epp.command" file that was attached to the "Endpoint Protector"
client package that you downloaded.

You will be prompted to enter the root password to perform administrative tasks.

19.7.3. Client removal on Linux OS

To remove the Endpoint Protector Client you need to run from the
console/terminal the "uninstall.sh" file that was attached to the "Endpoint
Protector" client package that you downloaded.

Note!
For exact uninstall instructions corresponding to your Linux distribution, please
consult the readme file available in the System Configuration – Client Installation
window by clicking the “Read this before installing” link!
162 | Endpoint Protector | User Manual

20. Installing Browser Root

Certificates

20.1. For Microsoft Internet Explorer

Open Endpoint Protector Administration and Reporting Tool IP address. (Your
Appliance static IP Address, example https://192.168.0.201).

If there is no certificate in your browser, you will be prompted with Certificate

Error page like the screenshot below.
163 | Endpoint Protector | User Manual

Continue your navigation by clicking “Continue to this website (not

recommended)”.

Now, go to the Certificate file you downloaded from the Appliance Setup Wizard-
>Appliance Server Certificate-> and install the Certificate.

Click the Certificate Error button just next to the IE address bar as shown.

By clicking the “Certificate Error” button, a pop-up window appears. Just click the
“View certificates” in that pop-up window.

Another pop-up Certificate window will appear with three tabs namely “General”,
“Details” and “Certification Path”.

Select the “General” tab and then click “Install Certificate...” button or go to
Tools->Internet Options-> Content->Certificates.
164 | Endpoint Protector | User Manual

From the Certificates list, select “Trusted Root Certification Authorities” and click
on the “Import” button.

A Welcome to the Certificate Import Wizard pops up. Just click the Next button.
165 | Endpoint Protector | User Manual

Browse for the Certificate file you downloaded from the Appliance Setup Wizard
->Appliance Server Certificate.

In the Certificate Store window, select “Place all certificates in the following
store” radio button.
166 | Endpoint Protector | User Manual

Another “Completing the Certificate Import Wizard” pops up. Just click the
“Finish” button.

A Security Warning window pops up. Just click “Yes”.

You have now successfully installed the Certificate.

167 | Endpoint Protector | User Manual

Close the Internet Explorer browser and try accessing the Endpoint Protector
Administration and Reporting Tool IP address again.

20.2. For Mozilla Firefox

Open the Browser.

Open Endpoint Protector Administration and Reporting Tool IP address. (Your

Appliance static IP Address, example https://192.168.0.201).
168 | Endpoint Protector | User Manual

From the above screenshot This Connection is Untrusted, choose I Understand

the Risks. Click Add Exception.

Security Warning window pops up.

Just click Get Certificate button and then the Confirm Security Exception button.

Close and restart the browser.

169 | Endpoint Protector | User Manual

21. Terms and Definitions

Here you can find a list of terms and definitions that are encountered throughout
the user manual.

21.1. Server Related

Appliance – Appliance refers to the Endpoint Protector Appliance which is running
the Endpoint Protector Server, Operating System, Databases, etc.

Computers – refers to PC’s, workstations, thin clients, notebooks which have

Endpoint Protector Client installed.

File Tracing - this feature will track all data that was copied to and from prior
authorized portable storage devices.

File Shadowing – this feature saves a copy of all, even deleted files that were
used in connection with controlled devices on a network storage server.

Devices – refers to a list of known portable storage devices, ranging from USB
storage devices to digital cameras, LTP storage devices and biometric devices.

Groups – can be groups of devices, users or computers. Grouping any of these

items will significantly help the server administrators to easily manage rights and
settings for them.

Departments – an alternative way to Groups to organize main entities (devices,

users or computers), which involves also the administrators of Endpoint
Protector.
170 | Endpoint Protector | User Manual

21.2. Client Related

Endpoint – can be a Personal Computer, a Workstation you use at the office or a
Notebook. An endpoint can call and be called. It generates and terminates the
information stream.

Trusted Devices – portable storage devices that carry a seal of approval from the
Endpoint Protector Server and can be utilized according to their level (1-4). For
more information please see “Enforced Encryption with Trusted Devices” section.

Client - refers to the client user who is logged in on a computer and who
facilitates the transaction of data.

Rights – applies to computers, devices, groups, users and global rights; it stands
for privileges that any of these items may or may not possess.

Online computers – refers to PC’s, Workstations and/or Notebooks which have

Endpoint Protector Client installed and are currently running and are connected
to the Endpoint Protector server.

Connected devices – are devices which are connected to online computers.

Events – are a list of actions that hold major significance in Endpoint Protector.
There are currently 17 events that are monitored by Endpoint Protector:

 Connected – the action of connecting a device to a computer running

Endpoint Protector Client.

 Disconnected – the action of (safely) removing a device from a computer

running Endpoint Protector Client.

 Enabled – refers to devices; the action of allowing a device access on the

specified computer(s), group(s) or under the specified user(s).

 Disabled – refers to devices; the action of removing all rights from the
device, making it inaccessible and therefore unusable.

 File read - a file located on a portable device was opened by a user or the
file was automatically opened if the portable device was autorun by the
operating system.

 File copy – a file was copied onto or from a portable device.

 File write – a file located on a portable device was opened and edited;
changes were saved to the file.

 File renamed – a file located on a portable device has been renamed.

171 | Endpoint Protector | User Manual

 File delete – a file located on a portable device has been deleted.

 Device TD – means that a device is registered as a Trusted Device and has

access to files accordingly

 Device not TD – means that a device is not trusted and does not have
automatic access to files

 Delete – refers to computers, users, groups, alerts and devices; the action
of removing any of these items from the list

 Enable read-only – refers to devices; the action of allowing access to

devices but disabling the ability to write on them. User(s) can copy files
from device(s) but cannot write anything onto the device.

 Enable if TD Level 1-4 – refers to Trusted Devices; grants the device

access if the device is a level one, two, three or four Trusted Device.

 Offline Temporary Password used – refers to computers, the action of

temporarily allowing access to a specific device on a certain client
computer.
172 | Endpoint Protector | User Manual

22. Support

Additional support resources as available. Please visit our website for more
manuals, FAQs, videos and tutorials, direct e-mail support and more at
www.endpointprotector.com

Our Support department can also be contacted directly from the Endpoint
Protector User Interface from the Support > Contact Support section. One of our
team members will contact you in the shortest time possible.

Even if you do not have a problem but miss some feature or just want to leave
us a general comment, we would love to hear from you.
173 | Endpoint Protector | User Manual

23. Disclaimer

Endpoint Protector Appliance does not communicate outside of your network

except with liveupdate.endpointprotector.com and cloud.endpointprotector.com.

Endpoint Protector does not contain malware software and does not send at any
time any of your private information (if Automatic Live Update Reporting is
DISABLED).

Each Endpoint Protector Server has the default SSH Protocol (22) open for
Support Interventions and there is one (1) System Account enabled (epproot)
protected with a password. The SSH Service can be disabled at customers’
request.

Security safeguards, by their nature, are capable of circumvention. CoSoSys

cannot, and does not, guarantee that data or devices will not be accessed by
unauthorized persons, and CoSoSys disclaims any warranties to that effect to the
fullest extent permitted by law.

Protector Basic and EasyLock are trademarks of CoSoSys Ltd. All rights reserved.
Windows is a registered trademark of Microsoft Corporation. Macintosh, Mac OS X are
trademarks of Apple Corporation. All other names and trademarks are property of their
respective owners.

CP R80.40 ThreatPrevention AdminGuide
No ratings yet
CP R80.40 ThreatPrevention AdminGuide
269 pages
Unit - 3 Digital Devices Security, Tools and Technologies For Cyber Security
100% (1)
Unit - 3 Digital Devices Security, Tools and Technologies For Cyber Security
46 pages
OfficeScan XG Service Pack 1 Server Online Help
No ratings yet
OfficeScan XG Service Pack 1 Server Online Help
871 pages
Cyberark EPM
No ratings yet
Cyberark EPM
4 pages
IDF 1-5-1206 Admin Guide
No ratings yet
IDF 1-5-1206 Admin Guide
287 pages
ENDPOINTPROTECTIONoAP Guide EN
No ratings yet
ENDPOINTPROTECTIONoAP Guide EN
570 pages
DLP Presentation
No ratings yet
DLP Presentation
59 pages
NSP 9.2 Product Guide Revm En-Us
No ratings yet
NSP 9.2 Product Guide Revm En-Us
1,997 pages
MyDLP Administration Guide
No ratings yet
MyDLP Administration Guide
84 pages
Endpoint Protector 4 User Manual en
No ratings yet
Endpoint Protector 4 User Manual en
192 pages
WSA Endpoint Protection Guide
No ratings yet
WSA Endpoint Protection Guide
194 pages
CIS Controls v8 and Mapping To ISO27002
No ratings yet
CIS Controls v8 and Mapping To ISO27002
132 pages
Mem Intune
No ratings yet
Mem Intune
5,061 pages
CP R77.20 EndpointSecurity AdminGuide
No ratings yet
CP R77.20 EndpointSecurity AdminGuide
168 pages
Protect Data and Site Infrastructure
No ratings yet
Protect Data and Site Infrastructure
190 pages
Osce 12.0 Ag
No ratings yet
Osce 12.0 Ag
873 pages
Endpoint Protector 5 User Manual EN PDF
No ratings yet
Endpoint Protector 5 User Manual EN PDF
189 pages
Host Intrusion Prevention 800 Product Guide For ePO 450
No ratings yet
Host Intrusion Prevention 800 Product Guide For ePO 450
154 pages
CP Harmony Endpoint AdminGuide
No ratings yet
CP Harmony Endpoint AdminGuide
606 pages
Apex One Endpoint Encryption Datasheet
No ratings yet
Apex One Endpoint Encryption Datasheet
4 pages
Public Cloud CIS Controls Version 8
No ratings yet
Public Cloud CIS Controls Version 8
180 pages
Mcafee Data Loss Prevention 11.3.x Product Guide 6-23-2023
No ratings yet
Mcafee Data Loss Prevention 11.3.x Product Guide 6-23-2023
309 pages
CP E80.61 EndpointSecurity AdminGuide
No ratings yet
CP E80.61 EndpointSecurity AdminGuide
196 pages
CP E80.70 RemoteAccessClients ForWin AdminGuide
No ratings yet
CP E80.70 RemoteAccessClients ForWin AdminGuide
142 pages
CP E80.71 RemoteAccessClients ForWin AdminGuide
No ratings yet
CP E80.71 RemoteAccessClients ForWin AdminGuide
143 pages
Endpoint Protector
No ratings yet
Endpoint Protector
178 pages
CP R77.30.03 EndpointSecurity AdminGuide
No ratings yet
CP R77.30.03 EndpointSecurity AdminGuide
252 pages
CP R80.30 GA EndpointSecurity AdminGuide
No ratings yet
CP R80.30 GA EndpointSecurity AdminGuide
257 pages
Endpoint Protector-User Manual PDF
No ratings yet
Endpoint Protector-User Manual PDF
134 pages
BG02 Endpoint Security Buyers Guide 190828US Web
No ratings yet
BG02 Endpoint Security Buyers Guide 190828US Web
20 pages
Case Study Cybersecurity in Addiction
No ratings yet
Case Study Cybersecurity in Addiction
18 pages
CP R80.40 ThreatPrevention AdminGuide
No ratings yet
CP R80.40 ThreatPrevention AdminGuide
277 pages
CP R80.30 GA EndpointSecurity AdminGuide
No ratings yet
CP R80.30 GA EndpointSecurity AdminGuide
251 pages
Osce 10.6 sp3 Ag
No ratings yet
Osce 10.6 sp3 Ag
825 pages
Webroot SecureAnywhere User Guide - 101411
No ratings yet
Webroot SecureAnywhere User Guide - 101411
186 pages
Bitdefender GravityZone AdministratorsGuide 1 EnUS
No ratings yet
Bitdefender GravityZone AdministratorsGuide 1 EnUS
261 pages
Datasheet EPP Panda Security
No ratings yet
Datasheet EPP Panda Security
2 pages
Vision One Endpoint Security - Seller Cheat Sheet
No ratings yet
Vision One Endpoint Security - Seller Cheat Sheet
5 pages
CP R80.10 EndpointSecurity AdminGuide
No ratings yet
CP R80.10 EndpointSecurity AdminGuide
190 pages
For Front End Point Protection 2012 R 2
No ratings yet
For Front End Point Protection 2012 R 2
29 pages
Bitdefender GravityZone EndpointSecurityforMac UsersGuide EnUS
No ratings yet
Bitdefender GravityZone EndpointSecurityforMac UsersGuide EnUS
38 pages
Ens 1050 Help 0-00 En-Us
No ratings yet
Ens 1050 Help 0-00 En-Us
201 pages
CP ES E80.40 AdminGuide Octubre 2012 PDF
No ratings yet
CP ES E80.40 AdminGuide Octubre 2012 PDF
151 pages
CIS Controls Only
No ratings yet
CIS Controls Only
24 pages
Sophos Certified Engineer
No ratings yet
Sophos Certified Engineer
9 pages
Bitdefender EndpointSecurityToolsForWindows UsersGuide EnUS
No ratings yet
Bitdefender EndpointSecurityToolsForWindows UsersGuide EnUS
50 pages
Mapping of Technical Courses Onto Kaspersky NEXT Products
No ratings yet
Mapping of Technical Courses Onto Kaspersky NEXT Products
3 pages
Endpoint Security: Client Management Guide
No ratings yet
Endpoint Security: Client Management Guide
36 pages
Lab Guide - FortiClientEMS+FortiEDR
No ratings yet
Lab Guide - FortiClientEMS+FortiEDR
101 pages
CP R80.40 EndpointSecurity AdminGuide
No ratings yet
CP R80.40 EndpointSecurity AdminGuide
295 pages
CP E80.50 EPSWindowsClient UserGuide en
No ratings yet
CP E80.50 EPSWindowsClient UserGuide en
36 pages
Av Security
No ratings yet
Av Security
86 pages
Trellix Endpoint Security Datasheet
No ratings yet
Trellix Endpoint Security Datasheet
7 pages
Deepa Resume
No ratings yet
Deepa Resume
3 pages
Semp
No ratings yet
Semp
6 pages
PAN OS 6.0 Admin Guide PDF
No ratings yet
PAN OS 6.0 Admin Guide PDF
348 pages
CP R77.30.01 EndpointSecurity AdminGuide PDF
No ratings yet
CP R77.30.01 EndpointSecurity AdminGuide PDF
241 pages
Data Loss Prevention & Mobile Device Management: Enterprise-Grade Security Solution For Any Industry
No ratings yet
Data Loss Prevention & Mobile Device Management: Enterprise-Grade Security Solution For Any Industry
8 pages
MD 100t00 Enu Powerpoint m09
No ratings yet
MD 100t00 Enu Powerpoint m09
43 pages
TrendMicro ESE - STD
No ratings yet
TrendMicro ESE - STD
2 pages
Unified Endpoint Management and Security
No ratings yet
Unified Endpoint Management and Security
13 pages
Mcafee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (Mcafee Epolicy Orchestrator) - Window 4-7-2021
No ratings yet
Mcafee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (Mcafee Epolicy Orchestrator) - Window 4-7-2021
53 pages
EDR (Endpoint Detection & Response)
No ratings yet
EDR (Endpoint Detection & Response)
40 pages
Endpoint Security Policy
No ratings yet
Endpoint Security Policy
2 pages
Forticlient v1.0 Windows App User Guide
No ratings yet
Forticlient v1.0 Windows App User Guide
14 pages
Bitdefender EndpointSecurityToolsForWindows UsersGuide EnUS
No ratings yet
Bitdefender EndpointSecurityToolsForWindows UsersGuide EnUS
46 pages
The Forrester Wave™ - Endpoint Security Software As A Service, Q2 2021
No ratings yet
The Forrester Wave™ - Endpoint Security Software As A Service, Q2 2021
16 pages
Release Notes SEP 14 3 RU5
No ratings yet
Release Notes SEP 14 3 RU5
32 pages
Harmony Solution Brief
No ratings yet
Harmony Solution Brief
4 pages
Question Text: Correct 1 Points Out of 1
No ratings yet
Question Text: Correct 1 Points Out of 1
11 pages
Kaspersky Endpoint Security For Business: Advanced Protection and Control
No ratings yet
Kaspersky Endpoint Security For Business: Advanced Protection and Control
2 pages
KSC13 For Linux PoC Guide
No ratings yet
KSC13 For Linux PoC Guide
39 pages
Zero Trust Roadmap WP
No ratings yet
Zero Trust Roadmap WP
26 pages
Para Prova PDF
No ratings yet
Para Prova PDF
49 pages
Kaspersky Endpoint Security Cloud Datasheet 0222 EN
No ratings yet
Kaspersky Endpoint Security Cloud Datasheet 0222 EN
4 pages
Endpoint Security Vs Antivirus Vs Firewall 1606142143
No ratings yet
Endpoint Security Vs Antivirus Vs Firewall 1606142143
15 pages
ESET PROTECT Advanced - Proposal v1.0
No ratings yet
ESET PROTECT Advanced - Proposal v1.0
69 pages
Edr MDR XDR
No ratings yet
Edr MDR XDR
2 pages
Research Paper - Cyber Security
No ratings yet
Research Paper - Cyber Security
12 pages
Cyber Attack Matrix Incident Handler 1729481034
No ratings yet
Cyber Attack Matrix Incident Handler 1729481034
18 pages
Crowdstrike Competitive Battle Card
No ratings yet
Crowdstrike Competitive Battle Card
2 pages
How SentinelOne Works
No ratings yet
How SentinelOne Works
3 pages
Mcafee Guide
No ratings yet
Mcafee Guide
64 pages
KL P26.3. Kaspersky Managed Detection and Response
No ratings yet
KL P26.3. Kaspersky Managed Detection and Response
94 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.