Manage Incydr preventative control settings

Updated

Overview

This article describes Incydr's preventative control capabilities and how to configure them. Preventative controls enable you to restrict users from performing specific actions, including uploading and pasting content in a web browser, mounting removable media, and sharing files via cloud services.

Before you begin

  • Deploy the Incydr browser extension. Web-based preventative controls (such as blocking browser uploads and pasting to browsers) require the Incydr browser extension to be deployed to user devices. For deployment instructions, see Deploy the Incydr browser extension.
  • Review your trusted activity settings. Preventative controls block file movement to destinations not included on your list of trusted activity. As a result, if your trusted activity settings are not configured correctly, users may be blocked from completing normal tasks on approved corporate destinations.

Preventative control scope

Preventative controls can be scoped to a watchlist or to all users.

  • Watchlist: Use watchlist-specific controls to apply restrictions to higher-risk groups. For example, block users on the Departing employee watchlist from sending files to untrusted locations.
  • All users: Use global controls to apply restrictions to all users in your environment. For example, block removable media for everyone.

Global preventative controls

To configure preventative controls for all users in your environment:

  1. Sign in to the Incydr console.
  2. Select User Activity > Preventative Controls.
  3. Click the options menu to update a control
    1. Select Edit to turn the control On or Off, to select whether the activity is blocked or temporarily allowed, and to edit excluded users.
    2. Select Reset to remove your settings and turn the control Off.
  4. For Block browsers and apps, click Add to specify which browsers and apps to block.

For more details about each control, see the Preventative control details section below.

Global preventative controls settings

Excluded users

Exclusions enable flexible and granular configuration options for preventative control enforcement. Exclusions can be defined for any combination of directory groups, departments, and individual users. For example, to prevent everyone in your company from using removable media except a group of QA users whose work involves legitimate use of removable media, you can enable the global Block removable media mounting preventative control, and then exclude the QA group.

To manage exclusions:

  1. Click the option menu Vertical-3-dot-option-menu-icon.png next to a control.
  2. Select Edit.
  3. Select Edit excluded users.
  4. Click Add for a directory group, department, or individual user.
  5. From the drop down menu, select the item to add. Optionally, begin typing to filter the list of available options.
  6. To add more exclusions, click the plus icon to select an additional group, department, or user. Repeat as necessary.
  7. Click Save.

Watchlist-specific preventative controls

To configure preventative controls for users on a watchlist:

  1. Sign in to the Incydr console.
  2. Select User Activity > Watchlists.
  3. Select a watchlist.
  4. In the Watchlist settings section, go to Preventative controls and click the edit Pencil-shaped edit icon icon or Add (if no preventative controls are enabled yet).

    Watchlist settings
  5. Choose to toggle On or Off each preventative control. Settings apply to all users on the selected watchlist. See the Preventative control details section below for more details about each control.
    Watchlist preventative controls
  6. Click Save.
Users on multiple watchlists
If a user is a member of more than one watchlist, the preventative controls are additive. That is, the combined set of enabled controls for all watchlists are applied to the user.

If a user is a member of multiple watchlists with different settings for the same control, the more restrictive control is applied. For example, if one watchlist temporarily allows uploads and another blocks uploads, the user is blocked from uploading.

Preventative control details

The detailed descriptions below apply to both watchlist and global controls. The only difference between watchlist and global controls is the scope of affected users.

Block untrusted browser uploads

Requires the Incydr browser extension. Supported on Windows, macOS, and Linux.

Restricts uploads to domains and URL paths not on your trusted activity list. When set to On, choose either:

  • Block untrusted uploads: Blocks the upload and informs the user this destination is not approved.
  • Temporarily allow untrusted uploads: Blocks the initial upload and prompts the user to confirm they trust this location.
    • The user has the option to cancel or temporarily allow uploads to the destination.
    • If the user allows the upload, they must provide a reason and then upload the file again as the initial upload was blocked.
    • File events are not created for the initial blocked upload. File events are only created if the user uploads the file again after providing a reason for allowing the destination.

Block untrusted pasting to the browser

Requires the Incydr browser extension. Supported on Windows, macOS, and Linux.

Restricts pasting from the clipboard to domains and URL paths not on your trusted activity list. When set to On, choose either:

  • Block untrusted pasting: Blocks the paste attempt and informs the user this destination is not approved.
  • Temporarily allow untrusted pasting: Blocks the initial paste and prompts the user to confirm they trust this location.
    • The user has the option to cancel or temporarily allow pasting to the destination.
    • If the user allows the paste, they must provide a reason and then paste again as the initial paste was blocked.
    • File events are not created for the initial blocked paste. File events are only created if the user pastes again after providing a reason for allowing the destination.

The following activity is always allowed, even if Block pasting to the browser is enabled:

  • Pasting to destinations on your list of trusted activity
  • Pasting into username and password fields
  • Copying and pasting within the same browser tab

Other paste considerations:

  • In the file event details for a paste action, the source is only available when content is copied and pasted within the same browser.
  • Paste activity is only monitored in web browsers. Since the endpoint is generally a trusted device/location, paste activity in desktop applications is not monitored or restricted.

Block browsers and apps

Supported on Windows, macOS, and Linux

Prevent users from launching web browsers and other applications. Click Edit browsers and apps to customize settings.

Browsers

Recommended when upload or paste controls are enabled.

Prevent users from launching common web browsers not supported by the Incydr extension. Enable this setting to select which web browsers to block or allow. Blocking a browser applies to all public, beta, and development builds.

This setting only supports blocking and does not generate events in Forensic Search. Temporarily allowing unsupported browsers is not an option.

Custom apps

Prevent a customized list of applications from launching on user endpoints.

  • Enter multiple app names on separate lines
  • For Windows, enter the process name, including the extension. For example: discord.exe
  • For macOS, enter the bundle folder name. For example: Discord
  • For Linux, enter the process name.
Blocking apps is a very powerful response control
Carefully consider the impact to users before blocking any applications, and make sure you enter the correct process name. Entering the wrong process name could unintentionally block a critical application required for normal endpoint functionality.

Block private browsing

Recommended when upload or paste controls are enabled. Supported on Windows, macOS, and Linux.

Prevent users from bypassing these preventative controls by opening a private/incognito window or  browsing with "Guest mode" in Google Chrome and Microsoft Edge.

This setting only supports blocking and does not generate events in Forensic Search. Temporarily allowing private browsing is not an option.

Restart required
Changes to the Block private browsing setting require a restart to take effect. If restarting the browser manually is not possible, Google Workspace and Microsoft Intune provide tools for administrators to remotely restart the browser.

If changes still do not apply after restarting the Chrome or Edge browser, it may be because the browser's Background Mode policy is enabled. This policy keeps browser processes running even after all browser windows are closed. In this case, you must restart the device itself for changes to the Block private browsing setting to take effect.

Block removable media mounting

Supported on Windows and macOS

Prevent removable media volumes (USB Mass Storage) from being mounted on the user’s endpoint.

To review blocked activity, go to Forensic Search and filter for the Event action value of Blocked removable media from mounting.

This setting only supports blocking. Temporarily allowing removable media is not an option.

Block cloud sharing

Requires an active cloud storage data connection in a Monitoring status. Supported on any device with a cloud connection.

Blocks sharing directly with users outside your organization and blocks making files accessible to anyone with the link.

This setting only supports blocking. Temporarily allowing cloud sharing is not an option. 

Google Drive requires additional configuration

For Incydr to block sharing, your Google Cloud admin must follow these steps to update group sharing settings.

Other Google Drive considerations:

  • Incydr automatically creates a Google group called Incydr Prevention Controls (Managed by Code42) when you authorize your Google Drive data connection, but you must manually update the group's settings to fully enable the Block cloud sharing preventative control.
  • Google Drive sharing controls are managed via Google Groups. When you add or remove a user from an Incydr watchlist with the Block cloud sharing preventative control enabled, they are automatically added or removed from the Incydr Prevention Controls (Managed by Code42) Google Group, which updates their sharing settings within Google Drive accordingly.

Advanced settings

The Advanced settings menu options apply to all watchlists with preventative controls enabled. These options include:

  • End user messaging: Provides the option to customize the text in the notification dialogs users see when they are blocked from uploading, pasting, using unsupported browsers, and using removable media.
    • Each preventative control includes both a Global message and an optional watchlist-specific message.
      • Select the Global tab to edit the default message for all watchlists. The Global message applies to all watchlists without a custom message.
      • Select the watchlist name tab to edit the message for only this watchlist. This enables you to provide context-specific guidance to users on different watchlists. For example, when users try to upload files to an untrusted destination, departing employees can receive a different message than new hires. 

    • Users on more than one watchlist with the same preventative control enabled see the Global message, not the watchlist-specific message.

  • Temporarily allow upload expiration: Set how long uploads are allowed when a user elects to "temporarily allow" a destination.
    • The default is 15 minutes. The minimum is 5 minutes and the maximum is 365 days.
    • During the allowed period, there are no restrictions on users uploading to the destination. Once the allowed period ends, users are prompted to temporarily allow again the next time they attempt to upload or paste to the destination.

Review activity with preventative controls applied

There are two primary ways to review file activity with preventative controls applied: Forensic Search and the Preventative controls report.

Forensic Search

  1. From the Incydr console, select Forensic Search > Search.
  2. Select a date range and any other relevant search criteria, such as Username, Risk severity, Source or Destination details, etc.
  3. Select one or more of the following filters and search values:
    Filter Values
    Event > Event action

    For blocked events:

    • Blocked browser or app read
    • Blocked paste from clipboard to browser
    • Blocked removable media from mounting

    For temporarily allowed events with the Preventative control filter:

    • Pasted from clipboard to browser
    • Browser or app read
    Response controls > Preventative control
    • Allowed as trusted activity
    • Temporarily allowed by user
    • Blocked
    Response controls > User justification
    • For personal use
    • To collaborate with external customers or vendors
    • To complete tasks for my job
    • Other

    Note: When specifying the search parameter "other", the user-provided justification reason is displayed in the event details drawer or when exporting the results as a CSV.

Preventative controls report

The Preventative controls report displays in-depth details about all preventative activity, with options to search and filter activity by date ranges, specific users, and event actions.

To access the Preventative controls report:

  1. From the Incydr console, select User Activity > Watchlists.
  2. Select a watchlist with preventative controls enabled.
  3. In the Watchlist settings section, click Preventative Report.

Alert on activity with preventative controls applied

Events where the user temporarily allowed data movement to untrusted destinations represent exfiltration. As a result, this activity is included in alerts if it matches your defined rule criteria.

Events where the user was blocked from moving data to untrusted destinations do not represent exfiltration. By default, these events are not included in alerts. To add blocked activity to your alerts:

  1. Go to Alerts > Manage Rules.
    1. To create a new rule, click Create rule and select a rule type, and the initial criteria.
    2. For an existing rule, locate the rule and click View View icon.
  2. In the Rule settings, enable Preventative controls.

To identify activity that was blocked from being exfiltrated, blocked events are labeled with the note "This activity was blocked and the data did not leave the endpoint."

Related topics

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.