User Manual Version 3.0.5.

User Manual
I | Endpoint Protector | User Manual

Table of Contents

1. Introduction ........................................... 1
1.1. What is Endpoint Protector? ............................................... 2
1.2. Main Features ................................................................... 4
1.2.1. Centralized web based Device Management / Dashboard ..... 4
1.2.2. Control your data flow: File Tracing / File Shadowing ........... 4
1.2.3. Audit Trail – Device Activity Logging .................................. 5
1.2.4. Audit Trail – Reporting and Analysis Tools .......................... 5
1.2.5. File Whitelist................................................................... 5
1.2.6. Easy Enforcement of Your Security Policies ......................... 5
1.2.7. Network "Offline" Mode to Support Your Field Employees ..... 5
1.2.8. Enforced Encryption - protecting sensitive data in transit /
TrustedDevice ............................................................................ 6
1.2.9. Client Uninstall Protection ................................................ 6
1.2.10. Client Stop Protection / Tamper Protection ......................... 6
1.2.11. Backup Scheduler ........................................................... 6
1.3. Controlled Device Types / Ports .......................................... 7
1.4. Conclusions ...................................................................... 9

2. Server Functionality / Server Components 10

2.1. Endpoint Protector – Web Service ..................................... 11
2.2. Administration and Reporting Tool .................................... 11
2.3. Accessing the Administration and Reporting Tool ................ 14
2.4. Login Credentials (Username and Password) ...................... 15

3. Management ........................................ 16
3.1. Devices.......................................................................... 16
3.2. Device Functionality ........................................................ 17
3.2.1. Give / Deny Access to Devices ........................................ 18
3.2.2. Enable Device Read-Only Access ..................................... 20
3.2.3. TrustedDevice Level 1 to Level 4 ..................................... 20
3.2.4. WiFi - Block if wired network is present............................ 20
3.3. Computers ..................................................................... 21
3.4. Groups .......................................................................... 23
3.5. Users ............................................................................ 24
II | Endpoint Protector | User Manual

4. Rights ................................................. 26
4.1. Device Rights ................................................................. 27
4.2. User Rights .................................................................... 28
4.3. Computer Rights ............................................................. 29
4.4. Group Rights .................................................................. 30
4.5. Global Rights .................................................................. 31
4.6. File Whitelist .................................................................. 32

5. Offline Temporary Password ................... 34

5.1. Generating the Offline Temporary Password ....................... 34
5.2. Offline Device Authorization ............................................. 37
5.3. Setting the Administrator Contact Information .................... 38

6. Settings ............................................... 39
6.1. Computer Settings .......................................................... 42
6.2. Group Settings ............................................................... 43
6.3. Global Settings ............................................................... 44
6.4. File Tracing .................................................................... 45
6.5. File Shadowing ............................................................... 46

7. Reports and Analysis ............................. 49

7.1. Logs Report.................................................................... 50
7.2. File Tracing .................................................................... 51
7.3. File Shadowing ............................................................... 52
7.4. Online Computers ........................................................... 53
7.5. Online Users ................................................................... 54
7.6. Connected Devices .......................................................... 55
7.7. Computer History ............................................................ 56
7.8. User History ................................................................... 57
7.9. Device History ................................................................ 58
7.10. Statistics........................................................................ 59
7.11. Graphics ........................................................................ 60

8. System Alerts ....................................... 62

III | Endpoint Protector | User Manual

9. System Parameters ............................... 67

9.1. Device Types .................................................................. 68
9.2. Rights............................................................................ 69
9.3. Events ........................................................................... 70
9.4. File Types ...................................................................... 71
9.5. System Licenses ............................................................. 72
9.5.1. Import Licenses ............................................................ 73
9.6. System Security / Client Uninstall Protection ...................... 74

10. System Configuration ......................... 76

10.1. Active Directory Functionalities ......................................... 76
10.1.1. Active Directory Import.................................................. 77
10.1.2. Active Directory Sync .................................................... 80
10.1.3. Active Directory Client Deployment ................................. 84
10.2. System Administrators .................................................... 90
10.3. System Policies ............................................................... 91
10.4. System Settings ............................................................. 92
10.5. System Snapshots .......................................................... 97
10.6. Log Backup .................................................................... 99
10.6.1. Backup Scheduler (Automatic Log Backup) ...................... 100

11. Setting up Policies ........................... 102

12. Modes for Users, Computers and Groups104
12.1. Transparent Mode ......................................................... 105
12.2. Stealth Mode ................................................................ 105
12.3. Panic Mode................................................................... 105
12.4. Adding new administrator(s) .......................................... 106
12.5. Working with logs and reports ........................................ 108
12.6. Finding users, devices, computers and groups .................. 109
12.7. Search ......................................................................... 109

13. Enforced Encryption with TrustedDevices110

13.1. How a Level 1 TrustedDevice Works ................................ 111
IV | Endpoint Protector | User Manual

13.2. EasyLock Software for TrustedDevices Level 1 .................. 112

14. Endpoint Protector Client .................. 114

14.1. Endpoint Protector Client Security ................................... 114
14.2. Client Notifications (Notifier) .......................................... 114
14.3. Offline Functionality for Endpoint Protector Client .............. 115
14.4. DHCP / Manual IP address .............................................. 115
14.5. Client Removal ............................................................. 115
14.5.1. Client Removal on Windows OS ..................................... 115
14.5.2. Client removal on MAC OS X .......................................... 116

15. Installing Root Certificate to your Internet

Browser ........................................... 117
15.1. For Microsoft Internet Explorer ....................................... 117
15.2. For Mozilla Firefox ......................................................... 123

16. Terms and Definitions ...................... 125

16.1. Server Related.............................................................. 125
16.2. Client Related ............................................................... 126

17. Support ......................................... 128

18. Important Notice / Disclaimer............ 129
1 | Endpoint Protector | User Manual

1. Introduction

Portable storage devices such as USB flash drives, external HDDs, digital
cameras and MP3 players/iPods are virtually everywhere and are connected to a
Windows PC or Macintosh via plug and play within seconds.

With virtually every PC or MAC having easily accessible USB, FireWire and other
ports, the theft of data or accidental loss of data is for individuals a mere child‟s
play.

Data theft or data loss or infecting companies‟ computers or network through a

simple connection is easy and doesn‟t take more than a minute. Network
administrators had little chance to prevent this from happening or to catch the
responsible user(s). This was the hard reality. Now Endpoint Protector helps to
stop these threats.
2 | Endpoint Protector | User Manual

1.1. What is Endpoint Protector?

Endpoint Protector will help you secure your PCs endpoints within your network.
You will be able to restrict the use of both internal and external devices which
can be used for data storage and transfer and to manage PC and MAC ports.

Endpoint Protector gives network administrators the control needed to keep

network endpoints safe.

 Control use of all USB and other storage devices

 Tracking of what data is saved to storage devices

 Tracking of what data is copied from and to storage devices

 Authorize the use of USB storage devices

 Securing data on USB storage devices

 Powerful reporting tool and audit

The modular and intuitive Web-based administration interface has been designed
to offer fast access to controlling computer, devices and user behavior in a large
network. It also offers several ways to track any kind of portable device related
activity registered on the system. A detailed report including timestamps, file
names, action(s) taken, logged user, etc. allows for pin-pointing malicious
behavior and users.
3 | Endpoint Protector | User Manual

The system‟s design also allows the CoSoSys team to perform easy
customizations and extensions requested by clients. Better automation and
express reports can be developed accordingly to customer demands. In the same
time this structure is easy to update and maintain, making the usability even
greater.

Endpoint Protector is the only solution that gives companies of any size the
ability to let users take advantage of the increasingly important functionality of
USB and other ports without losing control over data and compliance.

This endpoint security device control solution is designed to control usage of all
portable storage and to keep track of what data users are taking from and to
their work computers on any kind of portable storage devices.

Furthermore, Endpoint Protector enables network administrators to monitor and

report what data is introduced into the corporate network from a portable
storage device such as prohibited materials (MP3s, movies or games) or harmful
data like a virus that could jeopardize the networks integrity.

As not all portable storage devices are used with the intent to harm the
company, many legitimate reasons commonly justify the need of such devices to
increase network users‟ productivity. Thus, Endpoint Protector allows authorized
use of certain device types or specific devices such as the companies‟ own USB
Flash Drives to handle and transfer confidential data.

To ensure the protection of data carried by users on authorized devices, the

Endpoint Protector administrator can allows users to copy work data only to a
password protected / encrypted area of a authorized device, a so called
“TrustedDevice”. In this way confidential corporate data is protected in case of
hardware loss.

Endpoint Protector creates an audit trail that shows the use and activity of
portable storage devices in corporate networks. Thus, administrators have the
possibility to trace and track file transfers through endpoints and then use the
audit trail as legal evidence for data theft. For more details on Endpoint
Protector, please see the Data Sheet available on the company‟s website.

http://www.EndpointProtector.com
4 | Endpoint Protector | User Manual

1.2. Main Features

Your confidential sensitive data is only as safe as your endpoints are. Designed
for medium and large enterprises, Endpoint Protector offers powerful features in
order to control monitor and enforce network and endpoint security.

Endpoint Security for Windows and Macintosh Workstations, Notebooks and

Netbooks.

Endpoint Protectors full feature set is available for Windows. A reduced feature
set is available for Macintosh (OS X).

Protects PCs from threats posed by removable portable storage and endpoint
devices like USB Flash Drives, MP3 Players, iPods, digital cameras and other
devices that could be intentionally or accidentally used to leak, steal, lose, virus
or malware infect your data. Even self-executing devices like a USB Flash Drive
with a CD-ROM autorun feature such as U3 Drives will not be accessible and
thereby pose no threats.

1.2.1. Centralized web based Device Management / Dashboard

Network administrators have the ability to centrally manage and authorize the
use of devices. The Endpoint Protector 2009 Dashboard is designed to meet the
needs of both management and security staff and offer access to real-time
information, charts and reports about organization wide controlled device and
data transfer activity. All in an integrated single view and web based
Administration and Reporting Tool.

1.2.2. Control your data flow: File Tracing / File Shadowing

This thorough record of information streams at the network‟s endpoints is
supporting audits of data flow and controlling the impact of data leakage. The
File Tracing feature will track all data that was copied to and from prior
authorized portable storage devices. The File Shadowing feature saves a copy of
all, even deleted files that were used in connection with controlled devices on a
network storage server.
5 | Endpoint Protector | User Manual

1.2.3. Audit Trail – Device Activity Logging

A device activity log is recorded for all clients and devices connected along with
all administrative actions such as device authorizations, giving a history for
devices, PCs and users for future audits and detailed analysis.

1.2.4. Audit Trail – Reporting and Analysis Tools

Endpoint Protector 2009 is equipped with powerful reporting and analysis tools to
make the data audit process easy and straightforward.

1.2.5. File Whitelist

Allows only previously authorized files to be copied to portable storage devices.

1.2.6. Easy Enforcement of Your Security Policies

Simplified device management policies with customizable templates for defining
User Group permissions allow easy enforcement and maintenance of your latest
security policies across your network.

1.2.7. Network "Offline" Mode to Support Your Field Employees

“Offline Temporary Password” to allow time limited access to a specific device
when the client computer is disconnected from the network.

Protected PCs that are temporary or frequently disconnected from the network
like laptops stay protected based on the last locally saved policy. All notifications
are transmitted at the next network connection.
6 | Endpoint Protector | User Manual

1.2.8. Enforced Encryption - protecting sensitive data in transit /

TrustedDevice
The technology behind TrustedDevices is designed to certify that in the corporate
environment all the endpoint devices are not only authorized and controlled via
endpoint software and security policies but also certified and trusted for
protecting sensitive and confidential data in transit (in case of a TrustedDevice).
This will assure that in the event a device is stolen or lost all the data stored on it
is encrypted and therefore not accessible for other parties.

1.2.9. Client Uninstall Protection

Endpoint Protector 2009 offers a password-based solution that prevents the
users from uninstalling the Endpoint Protector Clients, thus ensuring continuous
data protection.

1.2.10. Client Stop Protection / Tamper Protection

Endpoint Protector 2009 is preventing the users from stopping the Endpoint
Protector Clients at any time.

1.2.11. Backup Scheduler

Endpoint Protector 2009 is providing an automatic log backup solution in order to
prevent the server from overloading.
7 | Endpoint Protector | User Manual

1.3. Controlled Device Types / Ports

Endpoint Protector supports a wide range of device types which represent key
sources of security breaches. These devices can be authorized which makes it
possible for the users to view, create or modify their content and for
administrators to view the data transferred to and from the authorized devices.

 Removable Storage Devices

 Normal USB Flash Drives, U3 and Autorun Drives, Disk on Key, etc.

 USB 1.1, USB 2.0, USB 3.0

 Wireless USB

 LPT/Parallel ports
By controlling the Parallel ports of a PC using Endpoint Protector, the
network administrator can deny or allow users access to storage devices
connected to these ports.
* APPLIES ONLY TO STORAGE DEVICES

 Floppy disk drives

Access to floppy disk drives can be managed through Endpoint Protector
and can be turned on/off completely.

 Memory Cards - SD Cards, MMC Cards, and Compact Flash Cards, etc.
These devices can be enabled / disabled via Endpoint Protector.

 Card Readers - internal and external

These devices can be enabled / disabled via Endpoint Protector.

 CD/DVD-Player/Burner - internal and external

These devices can be enabled / disabled via Endpoint Protector.

 Digital Cameras
These devices can be enabled / disabled via Endpoint Protector.
8 | Endpoint Protector | User Manual

 Smartphones / Handhelds / PDAs

This category includes Nokia N-Series, Blackberry, and Windows CE
compatible devices, Windows Mobile devices, etc.

 iPods / iPhones / iPads

These devices can be enabled / disabled via Endpoint Protector.

 MP3 Player / Media Player Devices

These devices can be enabled / disabled via Endpoint Protector.

 External HDDs / portable hard disks

These devices can be enabled / disabled via Endpoint Protector.

 FireWire Devices
These devices can be enabled / disabled via Endpoint Protector.

 PCMCIA Devices
These devices can be enabled / disabled via Endpoint Protector.

 Biometric Devices
These devices can be enabled / disabled via Endpoint Protector.

 Bluetooth
These devices can be enabled / disabled via Endpoint Protector.

 Printers
Applies to serial, USB and LTP connection methods. These devices can be
enabled / disabled via Endpoint Protector.

 ExpressCard (SSD)
These devices can be enabled / disabled via Endpoint Protector.
9 | Endpoint Protector | User Manual

1.4. Conclusions
As information theft and data leakage are a reality of today‟s business world,
effectively preventing all possible security breaches is becoming an ultimate
concern for enterprise security experts. Endpoint security comes to complete
your existing security policies, aiming to render it full proof.

As new circumvention and data compromising techniques come to diminish the

benefits of new devices and gadgets, Endpoint Protector secures your company‟s
technologically enabled mobility. Thus, by easily protecting all exposed endpoints
from inbound and outbound threats, you can enjoy enhanced portability,
efficiency and productivity.

As it enables your employees to use devices you have already invested in and it
protects your company from losses generated by attacks from outside and
within, all financial costs entailed by implementing Endpoint Protector, such as
purchase, implementation and usage training expenses, are fully justified by the
yielded return on investment.
10 | Endpoint Protector | User Manual

2. Server Functionality /
Server Components

The functionality is designed to be around several physical entities:

 Computers (PC's and MACs with Endpoint Protector client installed)

 Devices (the devices which are currently supported by Endpoint Protector.

e.g.: USB devices, digital photo cameras, USB memory cards etc)

 Client user (the user who will use the devices and the computers)

The server side of Endpoint Protector has different parts working close together:

 Web Service – responsible of communicating with the clients and storing

the information received from them

 The Administration and Reporting Tool – responsible for managing the

existing devices, computers, users, groups and their behavior in the entire
system

 Endpoint Protector Appliance Hardware (Only applies if you have

purchased the Endpoint Protector Hardware Appliance) – is the hardware
running the Endpoint Protector Server containing Operating System,
Database, etc.
11 | Endpoint Protector | User Manual

2.1. Endpoint Protector – Web Service

The web service of Endpoint Protector is responsible for communication between
Endpoint Protector Server and the Client computers. Starting with the
registration of the client computers, the Web Service sends the settings and
rights of each computer and also receives the log information from each client
and stores that information in the database.

The web service is started as long as the web server is running, and it is ready to
respond to each client request.

2.2. Administration and Reporting Tool

This part of the Server is designated as a tool for customizing the behavior of the
entire system (Server and Clients) and to offer the administrator(s) (the person
handling this tool) the necessary information regarding the activity on the
system.

Access to this part of the web server is restricted by a username/password pair.

The users accessing the web application are referred to as Administrator in this
document. This administrator can be a regular administrator or super
administrator. The difference between the two is the level of access to some
administrative parts of the application. The regular administrator cannot change
critical system parameters, cannot create/delete other administrators and has
restricted access to some areas of Endpoint Protector.
12 | Endpoint Protector | User Manual

Dashboard – Lets you view statistics of the server such as the number of clients
and devices currently corrected, total number of computers, log and shadow size,
last logged action, newest added client, etc. and also provides shortcuts to the
essential management tools.– Lets you view statistics of the server such as the
number of clients and devices currently corrected, total number of computers,
log and shadow size, last logged action, newest added client, etc. and also
provides shortcuts to the essential management tools.

Management – Used for administration of Devices, Computers, Groups, and

Client Users.

In this module, the administrator can edit, manage rights and settings for or
even delete devices, computers or groups. He can also create groups and add or
remove client users.
13 | Endpoint Protector | User Manual

Rights – Used to determine and define rules of access. Six subsections are found
here Devices Rights, User Rights, Computers Rights, Group Rights, Global Rights
and File Whitelist.

This is the most important module of Endpoint Protector. In this module the
administrator can set up and enforce security policies by assigning specific rights
to devices, computers, computer groups and global device access. Please refer to
paragraph 4“Rights” for more information.

Settings – Used for setting the behavior of computers, groups of computers or

all the computers.

In this module the administrator can modify global settings such as the log
upload interval, local log and shadow size, as well as manage computer and
computer group‟s settings. The functionality mode (Normal, Stealth,
Transparent, etc) can also be set from here.

Reports and Analysis – Designed to offer the administrator information regarding

the past and current activity on the system (Server and Clients). It includes
several sections such as Online Computers, User History, Statistics, Graphics,
etc. Several information formats are available for view and export.
14 | Endpoint Protector | User Manual

Similar to the Dashboard, this module displays usage statistics on past and
current activities, but with more details.

System Alerts – Allows the creation of System Alerts – notifications, set up by

administrators, which will alert them if a certain device was connected or
accessed, a certain user performed a certain action, etc. Please see paragraph 8
“Alerts” for more details.

System Parameters – Here you can determine the functionality of the entire
system. This module includes sections such as Device and File Types, System
Licenses and System Security

2.3. Accessing the Administration and Reporting Tool

To access the Administration and Reporting Tool, simply open a browser and
enter the IP address of the Endpoint Protector Server, the Endpoint Protector
Appliance IP or the Server Host Name.

In case you enter the IP address, please note that you must use the HTTPS
(Hypertext Transfer Protocol Secure) prefix, followed by the IP address of the
Endpoint Protector Server.
15 | Endpoint Protector | User Manual

Example: https://127.0.0.1/index.php .

(In case of using the Endpoint Protector Appliance the default IP address is
https://192.168.0.201).

If you use Internet Explorer, we recommend that you add this page to Internet
Explorer‟s trusted sites. To do this, follow the steps in paragraph 15 “Installing
Root Certificate to your Internet Browser”.

2.4. Login Credentials (Username and Password)

The default username and password for Endpoint Protector 2009 Administration
and Reporting Tool are:

USERNAME: root

PASSWORD: epp2009

To change the user name and password and to create additional administrators
please see paragraph 10.2 “System Administrators”.
16 | Endpoint Protector | User Manual

3. Management

3.1. Devices
In this module the administrator can manage all devices in the system. Endpoint
Protector has an automatic system implemented meaning that it will
automatically add any unknown devices connected to client computers to the
database, thus making them manageable.

When an unknown device is connected to one of the client computers, the

device‟s parameters are stored in the system database as: device data (Vendor
ID, Product ID, and Serial Number). The user who first used the device is stored
as the default user of the device. This, however, can be changed anytime, later.
17 | Endpoint Protector | User Manual

These are the actions available to the administrator in this module:

Edit, Manage Rights, Delete

Manage Rights is actually a shortcut to the Devices Rights module, and will be
explained in one of the following chapters.

The status column indicates the current rights for the devices.

Red means that the device is blocked in the system.

Green means that the device is allowed on computers or users.

Yellow means that device is allowed on some users or computers with

restrictions.

3.2. Device Functionality

Endpoint Protector can handle a wide variety of devices and device types and
offers several methods of usage for each device in particular. These can be found
by accessing the “Rights” module of Endpoint Protector and selecting one of the
relevant Rights tabs. The Rights module contains the following sections: Device
Rights, User Rights, Computer Rights, Group Rights, Global Rights and File
Whitelist.
18 | Endpoint Protector | User Manual

Depending on the network policy, administrators can use the following settings:

 Preserve Global settings

 Deny access to devices

 Allow access to devices

 Enable read-only access

 TrustedDevice Level 1 to Level 4

3.2.1. Give / Deny Access to Devices

With this option the administrator can give or deny complete access to a certain
device making it usable or obsolete for a certain group, computer or user.

The administrator can configure these settings for each device individually and
can also choose for what computer(s), user(s) and group(s) they will apply to.

The File Whitelisting feature allows the super administrator to control the transfer
of only authorized files to previously authorized portable storage devices.

To configure File Whitelisting, please see paragraph 4.6 “File Whitelist”.

Once configured, you can enable this feature for devices, users, computers and
groups. To do this, simply access the Rights module and select device, computer,
user or group rights, depending on the rights priority configuration of your
server.
19 | Endpoint Protector | User Manual

Select the device, user, computer or group you wish to manage rights for and
click the + (plus) button at the bottom of the page, under “Already Existing
Devices”

Once you do that, the Device Wizard will appear, allowing you to select the
device(s) you wish to manage. Please note that you need to allow access to the
storage device in order to able to enable the File Whitelisting for it.

Selecting a device will allow you to select one of the rights for that device.

Once you select a portable device, and choose “Allow Access” for it, you will also
have the option to enable File Whitelisting for that device.
20 | Endpoint Protector | User Manual

Click “Save” to store your changes.

The device(s) you selected will appear in the “Already Existing Devices” section.

To add more devices, simply repeat the steps mentioned above.

To change or delete added devices use either “Rights Wizard” or “Remove” action
buttons.

3.2.2. Enable Device Read-Only Access

With this option the administrator can enable read-only access to devices
preventing the deletion or alteration of data on the device(s).

The administrator can configure each device individually and can also choose for
what computer(s), user(s) and group(s) it will apply to.

3.2.3. TrustedDevice Level 1 to Level 4

This option has four levels. Selecting either one of these implies that you already
have knowledge and understanding of how TrustedDevices™ and EasyLock™
work.

For more information please refer to section “How a Level 1 TrustedDevice

Works” in this user manual.

3.2.4. WiFi - Block if wired network is present

With this option the administrator can disable the WiFi connection, while a wired
network connection is present. The WiFi connection will be available when the
wired network is not present.
21 | Endpoint Protector | User Manual

3.3. Computers
This is the module responsible for managing the client computers.

The client computers have a registration mechanism. This self registration

mechanism is run once after the Endpoint Protector Client software is installed on
a client computer. The client software will then communicate to the server its
existence in the system. The server will store the information regarding the client
computer in the system database and it will assign a license to the client
computer (if none available, a demo license will be created and assigned, which
will expire after 30 days).

NOTE!

The self registration mechanism acts whenever a change in the computer

licensing module is made, and also each time the application client is reinstalled.
The owner of the computer is not saved in the process of the self registration.
22 | Endpoint Protector | User Manual

Computers can also be imported into Endpoint Protector from Active Directory
using the Active Directory Plug-in.

For details, please consult the paragraph 10.1.1 “Active Directory Import”.

The available actions here are:

Edit, Manage Rights, Manage Settings, Delete and Offline Temporary

Password. The Manage Rights, Manage Settings and Offline Temporary
Password are links to their respective modules which will be explained in their
own chapter.

For a better organization and manageability, a computer can be assigned as

belonging to a Group (several computers within the same office, a group of
computers which will have same access rights or settings).
23 | Endpoint Protector | User Manual

3.4. Groups
This module is responsible for editing groups. Edit it is the only command
available from this sections.

Grouping computers and client users will help the administrator to manage the
rights, or settings for these entities in an efficient way. This can be done from
the Group Rights and Group Settings tabs.
24 | Endpoint Protector | User Manual

3.5. Users
The client users are the end users who are logged on a computer on which the
Endpoint Protector Client software is installed.

This module has a self completing mechanism: as soon as a user has some
activity on the system and he is new in the system, he will be added to the
system database.

Actions available in this group are: Edit and Delete.

There are two users created by default during the installation process of Endpoint
Protector.

noUser – is the user linked to all events performed while no user was logged in
to the computer. Remote users‟ names who log into the computer will not be
logged and their events will be stored as events of noUser. Another occurrence of
noUser events would be to have an automated script/software which accesses a
device when no user is logged in to the specific computer.

autorunUser – indicates that an installer has been launched by Windows from the
specific device. It is the user attached to all events generated by the programs
launched from the specific device when Autoplay is enabled in the Operating
System.
25 | Endpoint Protector | User Manual

The users can be arranged in groups for easier management at a later point.
Users can also be imported into Endpoint Protector from Active Directory through
the Active Directory Plug-in.

For details, please consult the paragraph 10.1.1 Active Directory Import”.
26 | Endpoint Protector | User Manual

4. Rights

The modules in this area will allow the administrator to define which device can
be used on computers, groups and which client users have access to them.

The rule of inheritance is as follows (from most important to least important):

Computer Rights -> Group Rights -> Global Rights. The rights are overwritten in
this order.

Example: If global rights indicate that no computer on the system has access to
a specific device, and for one computer that device has been authorized, then
that computer will have access to that device.
27 | Endpoint Protector | User Manual

4.1. Device Rights

This module is built around the devices, allowing the administrator to enable or
disable them for specific computers, groups or users.

After selecting a computer, you select the computers and group of computers for
which the device has specified rights.
28 | Endpoint Protector | User Manual

4.2. User Rights

This module is build around the user, allowing administrators to manage rights of
access to devices per users.
29 | Endpoint Protector | User Manual

4.3. Computer Rights

This module will allow administrators to specify what device types and also what
specific device(s) can be accessible from a single or all computers.
30 | Endpoint Protector | User Manual

4.4. Group Rights

This module is similar to the previous one, only difference is that the rights here
are applied to a group instead of a single computer.

The administrator can use the “Edit All” action here to edit rights for all groups at
one.
31 | Endpoint Protector | User Manual

4.5. Global Rights

This module applies rights to computers in the entire system.
32 | Endpoint Protector | User Manual

4.6. File Whitelist

This module allows the super administrator to control the transfer of only
authorized files to previously authorized portable storage devices.

The super administrator can manage exactly what files can be copied to
removable devices, and which cannot. In order to use this feature, the
administrator must create a folder in which the authorized files will be kept and
he must set this address in the “Folder” field.

After copying the required files into the previously created folder, he must simply
press the “Refresh” button for a list to be generated.
33 | Endpoint Protector | User Manual

Finally, he must check the box next to each file to enable it, and click the “Save”
button. The files will be hashed and will receive permission to be copied.

This feature is only available to the Super Administrator user and cannot be
modified by regular administrators.

Note!
This only works for outbound transfers. Files copied from external sources onto
client (protected) computers will still be processed using the existing system
policy.
34 | Endpoint Protector | User Manual

5. Offline Temporary
Password

5.1. Generating the Offline Temporary Password

This module allows the super administrator to generate a temporary password
for a specific device on a client user computer. It can be used when there is no
network connection between the client computer and the Server.

Note!
Once a device is temporarily authorized, any other rights/settings saved
afterwards for this device will not take immediate effect, until the time period is
passed and the connection with the Server is re-established.

A password is unique for a certain device and time period. In conclusion, the
same password cannot be used for a different device or for the same device
twice.

The password will give permission to the device for the specified amount of time.

The time intervals which can be selected are: 30 minutes, 1 hour, 2 hours, 4
hours, 8 hours, 1 day, 2 days, 5 days, 14 days and 30 days.
35 | Endpoint Protector | User Manual

The administrator can either search for an existing device using the search

wizard
or, in case the device is not already in the database, he can introduce the device
code communicated by the client user (explained in below paragraph).

After selecting the duration, the password will be generated by clicking

“Generate Code” button.
36 | Endpoint Protector | User Manual

Another way to generate a password is by selecting a client computer from

Management Computers list, with the action “Offline Temporary Password”.

The obtained password will be communicated to the user for temporarily allowing
his specific device as explained bellow.
37 | Endpoint Protector | User Manual

5.2. Offline Device Authorization

In order to select a device and enter a password, the user needs to click on the
Endpoint Protector icon from the system tray.

The user will select the device from the list and contact the administrator at the
displayed contact information.

The user will tell the administrator the code for the device and the administrator
will tell the user the password, after generating it on the Server (see above
paragraph for password generation).

The password will be inserted in the correspondent field and applied by clicking
“Enter”.
38 | Endpoint Protector | User Manual

5.3. Setting the Administrator Contact Information

The Administrator contact information can be edited under “System
Configuration” module, “System Settings” panel, edit “Main Administrator
Contact Details”, then click “Save”.
39 | Endpoint Protector | User Manual

6. Settings

The settings are attributes which are inherited. Settings are designed to be
applied on computers, groups and global (applies to all the computers). The rule
of inheritance is the following (from the most important to less important):

Computer Settings (settings applied to one exact computer).

40 | Endpoint Protector | User Manual

Group Settings (settings applied on a group).

Global Settings (settings applied for all the computers).

The settings and the rights for computers are sent to the client computer at an
exact interval of time, set in this section.
41 | Endpoint Protector | User Manual

Refresh Interval (in seconds) – represents the time interval at which the client
will send a notification to the server with the intent to inform the server of its
presence in the system. The server will respond by checking the settings and
rights and updating them if needed, so the client can behave accordingly.

Log Upload Interval (in minutes) – represents the maximum time interval at
which the client will send the locally stored log information to the server. This
time interval can be smaller than the default value in case the log size is greater
than the Local Log Size setting.

Local Log Size (in kilobytes) – represents the maximum size of the log which
can be stored by the client on the client pc. If this value is reached then the
client will send this information to the server.
This mechanism is optimal when a client computer has a lot of activity, because
it will send the information very quickly to the server, so the administrator can
be informed almost instantly about the activities on that computer.

Shadow Upload Interval (in minutes) – represents the maximum time interval
at which the client will send the locally stored shadow information to the server.

Local Shadow Size (in megabytes) – represents the maximum size of

shadowed files stored by the client on a client PC. When this value is reached,
the client will start overwriting existing files in order for it to not exceed the
specified limit.

Minimum File Size for Shadowing (in kilobytes) – represents the minimum
file size that should be shadowed. If a value is set here than files smaller in size
than that value will not be shadowed. If “0” –null is the value set for this field,
then it will be ignored and only the maximum file size will be taken into
consideration.

Maximum File Size for Shadowing (in kilobytes) – represents the maximum
file size that should be shadowed. If a value is set here, then files larger in size
than that value will not be shadowed. If “0” –null is the value set for this field,
than it will be ignored and only the minimum file size will be taken into
consideration.
42 | Endpoint Protector | User Manual

6.1. Computer Settings

This module will allow the administrator to edit the settings for each computer.

Defining custom settings for all computers is not necessary, since a computer is
perfectly capable of functioning correctly without any manual settings defined. It
will do this by either inheriting the settings of a group it‟s in or, if not possible,
the global settings, which are mandatory and exist in the system with default
values from installation.
43 | Endpoint Protector | User Manual

6.2. Group Settings

This module will allow the administrator to edit group settings.

We mentioned earlier that computers can be grouped so that editing of settings

should be easier and more logical.
44 | Endpoint Protector | User Manual

6.3. Global Settings

This module holds the global settings, which influence all computers within the
system. If there are no settings defined for a computer, and it does not belong to
a group, these are the settings it will inherit. If the computer belongs to a group,
then it will inherit the settings of that group.
45 | Endpoint Protector | User Manual

6.4. File Tracing

Endpoint Protector‟s file tracing feature allows monitoring of data traffic between
protected clients and portable devices. It shows what files were copied, to which
location, at what time and by which user. It also shows other actions that took
place, such as file renamed, deleted, accessed, accessed and modified, etc.

It is an essential feature for administrators since they can keep track of all data
that‟s being transferred to and from devices. All traffic is recorded and logged for
later auditing.

Administrators have the ability to enable or disable the file tracing feature. This
can be done from within the Endpoint Protector Administration and Reporting
Tool.

Access the “System Configuration” module and select “System Policies”.

If you wish to disable the file tracing feature, simply uncheck the box next to it
and click “Save”.
46 | Endpoint Protector | User Manual

6.5. File Shadowing

Endpoint Protector‟s File Shadowing feature works simultaneously together with
File Tracing, creating exact copies of files accessed by users. The creation of
shadow copies can be triggered by the following events: file read, file write, and
file read/write. Events such as file deleted, file renamed, etc. do not trigger the
function.

Same as File Tracing, Shadowing of files can be turned on or off, from the
“System Configuration -> System Policies” module of the Endpoint Protector
Reporting and Administration Tool. Please note, however, that this feature
cannot be used without the File Tracing feature enabled.

Advanced settings such as minimum file size to be shadowed and shadowing

upload interval can also be configured in this section.
47 | Endpoint Protector | User Manual

Refresh Interval (in seconds) – Represents the time interval at which the client
will send a notification to the server with the intent to inform the server of its
presence in the system. The server will respond by checking the settings and
rights and updating them if needed, so the client can behave accordingly.

Log Upload Interval (in minutes) – Represents the maximum time interval at
which the client will send the locally stored log information to the server. This
time interval can be smaller than the default value in case the log size is greater
than the Local Log Size setting.

Local Log Size (in kilobytes) – represents the maximum size of the log which
can be stored by the client on the client pc. If this value is reached then the
client will send this information to the server.
This mechanism is optimal when a client computer has a lot of activity, because
it will send the information very quickly to the server, so the administrator can
be informed almost instantly about the activities on that computer.

Shadow Upload Interval (in minutes) – Represents the maximum time interval
at which the client will send the locally stored shadow information to the server.

Local Shadow Size (in MB) – Represents the maximum size of shadowed files
stored by the client on a client PC. When this value is reached, the client will
start overwriting existing files in order for it to not exceed the specified limit.

Minimum File Size for Shadowing (in KB) – Represents the minimum file size
that should be shadowed. If a value is set here than files smaller in size than that
value will not be shadowed. If “0” –null is the value set for this field, than it will
be ignored and only the maximum file size will be taken into consideration.

Maximum File Size for Shadowing (in KB) – Represents the maximum file
size that should be shadowed. If a value is set here, then files larger in size than
that value will not be shadowed. If “0” –null is the value set for this field, then it
will be ignored and only the minimum file size will be taken into consideration.
48 | Endpoint Protector | User Manual

The shadow directory can be selected from the “System Configuration” module
under the “System Settings” tab.

Since shadow size can reach large amounts, we strongly recommend that a
separate, large capacity Hard Disk is used for shadow storage.

Note!
Shadowing Files can be delayed due to network traffic and Endpoint Protector
Settings for different computers or file sizes. Shadowed files are usually available
after a few minutes.
49 | Endpoint Protector | User Manual

7. Reports and Analysis

This module is designed to offer the administrator feedback regarding system

functionality and information related to devices, users and computers in the
entire system.
50 | Endpoint Protector | User Manual

7.1. Logs Report

The most powerful and detailed representation of activity recordings can be
achieved using this module. It allows the administrator to see exactly what
actions took place at what time. This information also contains the computer
name, user and device used and also the action taken and the files accessed. The
granular filter included in this module is designed to make finding information
quick and easy.

The administrator has the possibility of exporting both the search results or the
entire log report as an Excel file, which can later be printed out for detailed
analysis.
51 | Endpoint Protector | User Manual

7.2. File Tracing

Displays the list of file properties traced of files that have been transferred from
a protected computer to a portable device.
52 | Endpoint Protector | User Manual

7.3. File Shadowing

Displays the list of file shadows, of files, that have been transferred from a
protected computer to a portable device.
53 | Endpoint Protector | User Manual

7.4. Online Computers

Offers real time* monitoring of the client computers registered on the system
which have an established connection with the server.

*depends on the Refresh Interval; if the Refresh Interval for computer X is 1

minute, than the computer X was communicating with the server in the last 1
minute.

The administrator has the possibility of accessing the log for a certain computer
by pressing the “List” action button.

Pressing this button will take you to the logs report where it will only display the
actions of that specific computer for which the button was pushed.
54 | Endpoint Protector | User Manual

7.5. Online Users

Shows a list of users that are connected to the Endpoint Protector Server in real
time.
55 | Endpoint Protector | User Manual

7.6. Connected Devices

Offers information regarding the devices connected to the computers on the
system.

The administrator can see which devices are connected to what computers and
also the client user who is accessing them. The administrator can also use the
action buttons “List” and “Manage Rights” to quickly administer the device.
56 | Endpoint Protector | User Manual

7.7. Computer History

This module displays a list of all computers that were once connected to the
system.

The administrator has the possibility of either exporting the log for a computer as
an Excel document or simply view it in the Logs Report module. Both reports will
contain all activities performed by the computer in question.
57 | Endpoint Protector | User Manual

7.8. User History

This module displays a list of all client users that were once connected to the
system.

Just like in the Computer History module, the administrator has the possibility of
either exporting the log for a computer as an Excel document or simply view it in
the Logs Report module.
58 | Endpoint Protector | User Manual

7.9. Device History

Same as the previous two modules, this module generates a list of all devices
that were connected to the system. This report can be generated for each device.

If viewed as such, the Excel report will, again, offer the complete information
regarding the device: VID, PID, Serial Number. , where it was used, what action
did it suffer, who changed the rights for it, etc.
59 | Endpoint Protector | User Manual

7.10. Statistics
The Statistics module will allow you to view system activity regarding data traffic
and device connections. The integrated filter makes generating reports easy and
fast. Simply select the field of interest and click the “Apply filter” button.
60 | Endpoint Protector | User Manual

7.11. Graphics
Endpoint Protector let‟s you visualize the traffic in your environment making
audit trails easier and more efficient.

The Graphical Reports offered by Endpoint Protector includes:

 Device blocking per Days

 General Device Blocking

 Device connections per Computer

 Device connections per Timeline

 Most active Computers (PCs)

 Most active Users

 Most active Devices

 Number of Device Connections

 Transferred data in MB

 Transferred data by extensions

61 | Endpoint Protector | User Manual

The Graphics module of Endpoint Protector can be accessed from the “Reports &
Analysis” module, by clicking the “Graphics” tab.

Selecting the timeline for the graphs is done by selecting the “From” and “To”
date of the desired date range. After selecting the date range click the “Change”
button to update the graph.

Besides the categorized view of data traffic, Endpoint Protector can also generate
a Top 10, 20 and 30 for the category you are currently viewing.
62 | Endpoint Protector | User Manual

8. System Alerts

Endpoint Protector allows you to set notifications (Alerts) for Devices,

Computers, Groups and Users making monitoring them easier. An Alert will
trigger an e-mail that will be sent to the selected administrator(s) that are
intended to receive the alerts. You can set up alerts in the System Alerts->
Define System Alerts module in Endpoint Protector.

Before you can create an e-mail alert, you must configure the server host and
provide a user name and password to that mail server. You can do that by
accessing “System Settings” in the “System Configuration” module.
63 | Endpoint Protector | User Manual

You can also verify if your settings are correct by checking the box next to “Send
test e-mail to my account”.

You also have to configure the e-mail of your current user with which you are
accessing Endpoint Protector; by default, “root”. To do this, go to “System
Configuration” > “System Administrators”.
64 | Endpoint Protector | User Manual

The actions available here are Edit, Edit Info and Delete.

Select the option “Edit info” for the desired user and complete the required fields.
After you are done, click “Save”.

Now you are set up to receive e-mail alerts.

Go back to “Define System Alerts” and click “Create” to start creating the first
alert.
65 | Endpoint Protector | User Manual

Then select the Group, Client, Computer, Device type or Device, - depending if
you mean a single device or all devices of a certain type-, and the event that will
trigger the notification.

You can also select one or more users to receive the same notification(s). This is
useful in case there is more than one administrator for Endpoint Protector.

Example: if you want to be notified when a certain device is connected to a

certain computer you must set up an alert choosing the specific device and
computer that you wish to be notified of and selecting the “Connected” event
from the events list.
66 | Endpoint Protector | User Manual

The “Client” and “Group” fields do not influence the triggering of the alert so
there is no need to fill them out. Setting up a value for the “Group” field means
that the alert will be triggered when the selected event occurs for any clients or
computers in that group.

you try deleting any items (Users, Groups, Computers etc.) that have been used
in setting up an alert, you will receive a notification, and you will not be able to
delete them.
67 | Endpoint Protector | User Manual

9. System Parameters

This module of Endpoint Protector is designed for super administrators. The

advanced settings available here determine the functionality of the entire
system.

Note!

Many of these parameters should be untouched and left as they are by

installation default. Introducing wrong values can limit the functionality and
performance of the entire system.
68 | Endpoint Protector | User Manual

9.1. Device Types

Here is a list of all device types currently supported by Endpoint Protector, along
with a short description for all of the items.
69 | Endpoint Protector | User Manual

9.2. Rights
This list contains the rights which can be assigned on the system at any time.
70 | Endpoint Protector | User Manual

9.3. Events
This list contains the events which will be logged for further reference.

Note!
Changing this list without CoSoSys‟ acknowledgement can limit system
functionality and performance; however, such customizations/implementations
can be performed by request by one of our specialists as part of our Professional
Services offered to customers.
71 | Endpoint Protector | User Manual

9.4. File Types

This list contains common file type extensions and a description for each of them
making them easier to recognize when creating audits.
72 | Endpoint Protector | User Manual

9.5. System Licenses

In this module the administrator can import Endpoint Protector Client licenses.
These licenses are in the form of an Excel file which contains special formatting.

Attention!
The Excel document has to be formatted in a specific way. Only the first column
in the excel sheet is taken into consideration and the first line in the excel sheet
is ignored.
73 | Endpoint Protector | User Manual

9.5.1. Import Licenses

This gives you the possibility to browse for an Excel file that contains licenses.
After you have selected the file, click Upload.
74 | Endpoint Protector | User Manual

9.6. System Security / Client Uninstall Protection

The Client Uninstall Protection feature protects the Endpoint Protector Client from
being uninstalled by using a password-based mechanism. The Administrator of
the system defines this password from within the Reporting and Administration
Tool of Endpoint Protector 2009. When somebody tries to uninstall the Endpoint
Protector Client, they will be prompted for the password. If they do not know the
password, the Client removal cannot continue.

This password can be set by accessing “System Parameters” – “System

Security”, entering a password in the “Password” field and clicking on “Save”.

The second option, “Data Security Privileges”, allows you to restrict Sensitive
Data sections access only to Super Administrators. If this option is selected, then
only super administrators are able to view the “Reports and Analysis” section. If
this option is not selected, then super administrators and also administrators are
able to view the “Reports and Analysis” section.

The “Re-read” command will force all computers to re-read rights instantly. This
is useful in case you modified the global system settings and computers need a
longer time to get their rights from the Server.
75 | Endpoint Protector | User Manual

You can also access the “System Lockdown” and “ON/OFF” buttons from this
module as well as the “Re-read” command.

System Lockdown - Pressing this button will cause Endpoint Protector to

instantly deny access to all devices in the system, stopping also ongoing data
transfers (depending on device type). Log files are still created of what was
accessed or modified before the Lockdown button was pushed.

ON/OFF – Pressing this button (OFF) will stop all Endpoint Protector related
activities completely. This means that all devices, even those previously blocked,
will now be usable, logging of traffic will stop as well as file shadowing.
76 | Endpoint Protector | User Manual

10. System Configuration

This module also contains advanced settings which influence the functionality
and stability of the system.

10.1. Active Directory Functionalities

Attention!

The previous versions of the AD Plug In (ADPlugIn.msi) can interfere with the
new functionality of Active Directory on Endpoint Protector Server version 3.0.3.1
or higher. Please make sure you uninstall this add-on in case of an update of the
server to this version.
77 | Endpoint Protector | User Manual

10.1.1. Active Directory Import

This module allows you to import Computers, Groups and Users from Active
Directory (where available).

If you have the requirements, simply click “Next”.

78 | Endpoint Protector | User Manual

Enter the Active Directory domain controller server name, the domain name and
a username and password in the format as in the examples presented in the
form. First, you can push the “Test Connection” button to test if the connection is
established successfully. If the connection is valid, push the “Next” button.

Note!
This operation might take some time, depending on the volume of data that
needs to be imported.
79 | Endpoint Protector | User Manual

In the next step, simply select what items you would like to import by clicking
the checkbox next to them and finally, select “Import”.

If the import procedure was successful, you will see the message “Import
completed”.
80 | Endpoint Protector | User Manual

10.1.2. Active Directory Sync

Special requirements: Endpoint Protector Timer, or the Windows Scheduler setup
to call the synchronization PHP script.

This module allows you to synchronize the entities in Endpoint Protector with the
entities in Active Directory (Computers, Users, and Groups).

You can either examine existing synchronizations by clicking the “View Sync List”
button,
81 | Endpoint Protector | User Manual

or, if you have the requirements, simply click “Next” to set up your
synchronization settings.

Enter the Active Directory domain controller server name, the domain name and
a username and password in the format as in the examples presented in the
form.
82 | Endpoint Protector | User Manual

You can also check if your settings are correct by clicking the “Test Connection”
button.

You should see a message “Connection is valid” on the top of the page.

Click “Next” to continue.

Note!
This operation might take some time, depending on the volume of data that
needs to be synchronized.
In the next step, simply select what items you would like to synchronize by
clicking the checkbox next to them, define a sync interval and select “Sync”.
83 | Endpoint Protector | User Manual

You will see the message “Sync object added”.

84 | Endpoint Protector | User Manual

You can set up multiple synchronizations from multiple locations at once. These
can be viewed and canceled in the “View Sync List”.

10.1.3. Active Directory Client Deployment

With the new “Active Directory Deployment” feature of Endpoint Protector you
have the possibility to deploy Endpoint Protector Clients on computers imported
from Active Directory. This implies that you first have to import the computers
you wish to install Endpoint Protector Client on, from Active Directory to the
Endpoint Protector Server using the Active Directory Import Wizard.
85 | Endpoint Protector | User Manual

Requirements for this feature:

 Administrator credentials to the Active Directory Domain Controller

 Active Directory Domain Controller Microsoft Group Policy Management

Console (GPMC). You can download it from the Microsoft‟s website:

http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-
4B35-9272-DD3CBFC81887&displaylang=en

Preparations:

1. Create a shared network folder and be sure to set the sharing and security
permissions for the folder to “Everyone” – Read Only. Copy to this location
the files „EPPClientSetup_x86_32.msi‟ and „EPPClientSetup_x86_64.msi‟.
86 | Endpoint Protector | User Manual

2. From the Endpoint Protector web interface, after selecting “Next”, enter
the required information in the correct format and push the “Test
Connection” button. Before continuing with the deployment process you
will need to run “AD Setup”.

3. Run AD Setup from Endpoint Protector Web interface for each domain you
have setup in your organization.
87 | Endpoint Protector | User Manual

As a result of this step you will get a new folder located on the Endpoint
Protector Server, under: InstallPath\endpointprotector\sieratool\web\ad\
with the following name: ADSetup-“DOMAINNAME”

1. Copy the file „Install_EPP_Client.vbs‟ located in above directory to the

shared network folder created at Step 1

2. Copy the rest of the files and folders to a new created folder located on
the Domain Controller

3. On the Domain Controller computer run the command:

cscript.exe setupAD.vbs
within Command Prompt
88 | Endpoint Protector | User Manual

The mechanism of deployment is the following:

1. Through the Endpoint Protector interface you have to provide the

information regarding the Active Directory: domain controller server name,
the domain name and a username and password in the format as in the
examples presented in the form

2. In the next step a tree is being built with the computers that exist in the
Endpoint Protector‟s database and were imported from Active Directory.
Here you have to select the computers to which you want to deploy the
Endpoint Protector Client.
89 | Endpoint Protector | User Manual

Next time the computers from the Endpoint Protector Group reboot, the Startup
script will run and it will install Endpoint Protector Client on each of them.

Technical information regarding the setupAd.vbs script

This script has to be run on all Active Directory on which you want to deploy
Endpoint Protector Client.
What it does:

1. It creates a new GPO called Endpoint Protector Policy

Import into the GPO above the settings for installing Endpoint Protector
Client, generated from web interface

2. Create an Organization unit called Endpoint Protector

Create a new Group Endpoint Protector Group

3. Link Endpoint Protector Policy to domain

Restrict the applying of this GPO to Endpoint Protector Group only

Technical information regarding the web deployment interface

Each computer you select for deployment will be added as a member of the
group Endpoint Protector Group, and so applying the policies/settings defined in
this GPO.
90 | Endpoint Protector | User Manual

10.2. System Administrators

This list contains all the administrators who have access to the Administration
and Reporting Tool. As described earlier in this document the administrators can
be of two types: regular administrators, which have some limitations and super
administrators which have full access to the system, including advanced
features.

For more information on administrators, please consult the paragraph 10.2

“Adding new administrator(s)”.
91 | Endpoint Protector | User Manual

10.3. System Policies

This module provides a useful shortcut to default server and device rights
settings. By accessing this module you can quickly and easily configure the
Endpoint Protector 2009 Server settings such as Log Upload Interval (in
minutes), Local Shadow Size (in MB), Local Log Size (in KB), etc. and default
device group behavior, for each device type, separately.

To store your setup, simply click “Save”.

92 | Endpoint Protector | User Manual

10.4. System Settings

In the System Settings module, you can modify Endpoint Protector 2009 Server
Rights functionalities by giving priority to either User Rights or Computer Rights
default Log and Shadow directory‟s and you can specify where the log and
shadow files should be saved. Please note that these folders need Internet Guest
Account rights (IUSR_MACHINE_NAME). To do this:

1. Create the folder(s) where you wish to store the data

2. Right-click it and select “Properties”

3. Go to “Security” tab and click on “Add…”

93 | Endpoint Protector | User Manual

4. Click on “Advanced…”

5. Click “Find Now”

94 | Endpoint Protector | User Manual

6. Select your machine from the list. The format will be “IUSR_your machine
name”.

7. Click “OK”
95 | Endpoint Protector | User Manual

8. Check the box next to “Write” for your newly added Internet Guest
Account user.

9. Click “OK”.

If you created two separate folders, one for log files, the other for shadowed
files, repeat the aforementioned steps for the remaining folder.
96 | Endpoint Protector | User Manual

Pease consult the “Setting up policies” chapter of this document for more
information on this area.
97 | Endpoint Protector | User Manual

10.5. System Snapshots

The System Snapshots module allows you to save all rights and settings for all
devices in the system and restore them later, if needed.

After installing the Endpoint Protector 2009 Server, we strongly recommend that
you create a System Snapshot before modifying anything. In this case you can
revert back to the original settings if you configure the server incorrectly.

To create a System Snapshot, access the module from System Configuration and
click “Make Snapshot”.

Enter a name for the snapshot, and a description. Select also what you wish to
store in the snapshot, Only Rights, Only Settings, or Both.

Finally, click “Save”.

98 | Endpoint Protector | User Manual

Your snapshot will appear in the list of System Snapshots.

To restore a previously created snapshot click the “Restore” button next to the
desired snapshot.

- Restore

Confirm restoration by clicking the “Restore” button again in the next window.
99 | Endpoint Protector | User Manual

10.6. Log Backup

This module allows you to delete old logs from the database and save them in an
Excel document. It also allows you to import logs that you previously created.

Here you can select the logs you wish to back-up. Simply select and option and
click “Make Backup”.
100 | Endpoint Protector | User Manual

You should see the message “Backup Completed” in the top-center of your
browser.

You can download and view the logs by selecting the “click here” link.

To import a log file, click the “Import Logs” button then search for the log file,
via the “Browse” button.

10.6.1. Backup Scheduler (Automatic Log Backup)

You can backup your log files also automatically by using the Backup Scheduler
option.

Here you can schedule an automatic backup routine by setting two trigger
conditions:

Backup time interval - allows you to select a certain time interval for repeating
the backup operation

Backup size limit - allows you to select a maximum size for the logs to be backed
up

In case that you don't wish to set a specific value for one or both of these
options, please leave the specific field(s) blank. After specifying the logs to be
backed up automatically based on their creation time, please click "Save" in
order for your options to be applied.
101 | Endpoint Protector | User Manual

You can view the created backups by using the Backup List option.
102 | Endpoint Protector | User Manual

11. Setting up Policies

Most companies like to limit their employee‟s access to data, especially if it is

confidential. Through Endpoint Protector you can enforce your security policies
and keep confidential data away from the hands of curious employees. You can
start setting your policies in the Rights section of Endpoint Protector. There are
four sections here that need to be mentioned.

Device Rights, Computer Rights, Group Rights and Global Rights. You can find
descriptions of these items in the previous paragraphs. Before configuring
computers and devices, there are certain aspects of Endpoint Protector you
should be aware of.

Computer Rights, Group Rights and Global Rights form a single unit and they
inherit each-others settings, meaning that changes to any one of these modules
affect the other ones. There are three levels of hierarchy: Global Rights, Group
Rights and Computer Rights, the later being the deciding factor in rights
management.

The Device Rights module surpasses all settings from Computer Rights, Group
Rights and Global Rights. If you give permission to a device to be available to
clients, it will be usable under any circumstances.
103 | Endpoint Protector | User Manual

DEVICE
RIGHTS

GLOBAL
RIGHTS

GROUP
RIGHTS

COMPUTER
RIGHTS

CLIENT
COMPUTER

For example: in Global Rights, assign Allow for device X. If in Computer Rights,
the same device does not have permission to be used; the device will not be
usable. Same applies vice-versa: if the device lacks permission to be used in
Global Rights, and has permission under Computer Rights, the device will be
usable to the client. The same applies for Global Rights and Group Rights: if
under Global Rights the device does not have permission to be used, and under
Group Rights permission exists, the device will be available to the client.

DEVICE 1 DEVICE 2 DEVICE 3 DEVICE 4 DEVICE 5 DEVICE 6

GLOBAL NOT NOT NOT
ALLOWED ALLOWED ALLOWED
RIGHTS ALLOWED ALLOWED ALLOWED

GROUP NOT NOT NOT

ALLOWED ALLOWED ALLOWED
RIGHTS ALLOWED ALLOWED ALLOWED

COMPUTER ALLOWED NOT NOT

ALLOWED ALLOWED
NOT
RIGHTS ALLOWED ALLOWED ALLOWED

CLIENT ALLOWED
NOT NOT
ALLOWED ALLOWED
NOT
COMPUTER ALLOWED ALLOWED ALLOWED
104 | Endpoint Protector | User Manual

12. Modes for Users,

Computers and Groups

Endpoint Protector features several functionality modes for users, computers and
groups. These modes are accessible for each item (users, computers, groups)
from the Settings module of Endpoint Protector using the “Edit” button.

You can change these at any given time.

There are four modes from which you can choose from:

 Stealth Mode

 Transparent Mode

 Panic Mode

 Normal Mode (as it currently is running in current specification applying

the last know policy)
105 | Endpoint Protector | User Manual

12.1. Transparent Mode

This mode is used if you want to block all devices but you don‟t want the user to
see and know anything about EPP activity.

 no system tray icon is displayed

 no system tray notifications are shown

 everything is blocked regardless if authorized or not

 Administrator receives alerts (dashboard also shows alerts) for all

activities

12.2. Stealth Mode

Similar to Transparent mode, Stealth mode allows the administrator to monitor
all of the users and computers activities and actions with all devices allowed.

 no system tray icon is displayed

 no system tray notifications are shown

 everything is allowed (nothing is blocked regardless of what activity)

 file shadowing and file tracing are enabled to see and monitor all user
activity

 Administrator receives alerts (dashboard shows also alerts) for all

activities

12.3. Panic Mode

If Stealth Mode and Transparent Mode are set manually, Panic Mode will be set
automatically by the system, when it considers it necessary.

 system tray icon is displayed

 notifications are displayed

 everything is blocked regardless if authorized or not

 Administrator receives alert (dashboard also shows alerts) when PCs are
going in and out of Panic mode
106 | Endpoint Protector | User Manual

12.4. Adding new administrator(s)

You can add an unlimited number of system administrators, depending on the
size and manageability of your network.

While fewer administrators are recommended for easier data loss prevention, it is
easier to manage a large network with more.

To add an administrator or Super Administrator in Endpoint Protector, you must

login as a super administrator and access the “System Configuration” module
then the “Administrators” panel.

Here you can see a list of current Administrator and Super Administrators.

To add another Administrator or Super Administrator, click the “Create” button.

107 | Endpoint Protector | User Manual

Enter the desired user name and password for the new account, then set if the
account is active or not or whether is a super admin or not.

Is active – if this option is not enabled the selected user cannot log in to the
Endpoint Protector console. Use this option in case you want to create temporary
admin or super admin privileges to a certain user and then remove them or if
you want to disable an administrator but do not want to delete his credentials
from the server.

Is Super Admin – Super Administrators have more rights than administrators.

Super Administrator can create, delete and modify administrator and super
administrator settings, while standard administrators do not have this right. The
most important difference is that only super administrators are able to view the
"Reports and Analysis" section if the option "Data Security Privileges" is selected
(please see paragraph 9.6 “System Security / Client Uninstall Protection”).
108 | Endpoint Protector | User Manual

12.5. Working with logs and reports

Endpoint Protector creates a device activity log in which it records actions from
all clients and devices connected along with all administrative actions such as
device authorizations, giving a history for devices, PCs and users for future
audits and detailed analysis.

Logs Report - The most powerful and detailed representation of activity

recording can be achieved using this module. This allows the administrator to see
exactly which device, computer a user used on a specific time interval, and
whether the shadowing for that user/device is enabled or not. There is a special
filter designed to make it easier to find this information.

Online Users – Online users are end users who have logged on to a client
computer.

Online Computers – Online Computers are client computers which have been
set up to communicate with the Endpoint Protector server by installing the
Endpoint Protector Client. Here you can see a list of computers which are
currently powered on and you can view the actions they have taken.

Connected Devices – Connected Devices are devices which are currently

plugged-in to one of the (online) client computers. Here again you have the
possibility to view an activity log, this time, of the device.

User History – This module records all of the users (clients) that have been
registered via the Endpoint Protector Client in the Endpoint Protector Server. You
can also find more information on the client users, such as first name, last name,
phone number, e-mail(s) and the actions they have taken.

Device History – Here you will find a history of recorded devices and actions.
These are sorted by device type, device name, owner, description, TD
(TrustedDevices), vendor and product ID (VID, PID), serial number and last
known time of connection. You can export the history for each device separately
in an Excel format.

Computer History – contains a list with all registered computers (clients).

These are sorted by computer name, domain, workgroup, IP, computer group,
computer location and last known time of connectivity (last time online). You can
export the history for each computer separately in an Excel format.

Statistics – The statistics module can generate reports on registered computers,

devices and users based on traffic, connections or overall activity. You can set a
period for this report (last week, month or year).
109 | Endpoint Protector | User Manual

12.6. Finding users, devices, computers and groups

12.7. Search
Endpoint Protector‟s search feature lets you easily find what you are looking for,
whether is a newly added device, user or a previously created computer or
group.

To use the advanced search feature of Endpoint Protector, log in and access the
“Dashboard” module, then the “Search” module.

Now you can choose to search for computers, devices, users or groups. Endpoint
Protector also lets you choose the number of results you see on each page.

If you are not sure what you are looking for, you may browse through all
computers, devices, users and groups just below the “Search” button, in the
same window.

For easier navigation, these items can be sorted by Type (device, user, computer
and group), name, description, and actions.
110 | Endpoint Protector | User Manual

13. Enforced Encryption with

TrustedDevices

Damage control

Protecting Data in Transit is essential to ensure no third party has access to data
in case a device is lost or stolen. The Enforced Encryption solution gives
administrators the possibility to protect confidential data on portable devices in
case of loss or theft. If a TrustedDevice fails to get authorization from the
Endpoint Protector 2009 Server, it will not be usable.

How does it work?

Enforcing Encryption can be done by utilizing TrustedDevices. TrustedDevices

must receive authorization from the Endpoint Protector 2009 Server, otherwise
they will be unusable.

There are four levels of security for TrustedDevices:

 Level 1 - Minimum security for office and personal use with a focus on
software based encryption for data security. Offers companies already
regulatory compliance.
Any USB Flash Drive and most other portable storage devices can be
turned into a TrustedDevice Level 1 with EasyLock Software from
CoSoSys.
No hardware upgrade is required.
http://www.endpointprotector.com/en/index.php/products/easylock

 Level 2 - Medium security level with biometric data protection or

advanced software based data encryption.
Requires special hardware that includes security software and that has
been tested for TrustedDevice Level 2.
Hardware is widely available in retail stores.
111 | Endpoint Protector | User Manual

 Level 3 - High security level with strong hardware based encryption that
is mandatory for sensitive enterprise data protection for regulatory
compliance such as SOX, HIPAA, GBLA, PIPED, Basel II, DPA, or PCI
95/46/EC.
Requires special hardware that includes advanced security software and
hardware based encryption and that has been tested for TrustedDevice
Level 3.

 Level 4 - Maximum security for military, government and even secret

agent use. Level 4 TrustedDevices include strong hardware based
encryption for data protection and are independently certified (e.g. FIPS
140). These devices have successfully undergone rigorous testing for
software and hardware.
Requires special hardware that is available primarily through security
focused resellers.

13.1. How a Level 1 TrustedDevice Works

User connects Device to Endpoint Protector protected Client PC. Device is blocked
by Endpoint Protector (default action).

Device is checked for authorization.

If device is an authorized TrustedDevice Level 1, the EasyLock software on

Device will automatically open.

User can transfer files via Drag & Drop in EasyLock from the PC to the
TrustedDevice.

Data transferred to devices is encrypted via 256bit AES.

User cannot access the device using Windows Explorer or similar applications
(e.g. Total Commander).

User does not have the possibility to copy data in unencrypted state to the
TrustedDevice.

“TrustedDevice” implies that the devices offer a safe, risk-free environment to

transfer sensitive data and tracking or shadowing files and file transfers is not
needed for these devices.

Administrator can audit what user, with what device, on what PC, has transferred
what files.
112 | Endpoint Protector | User Manual

13.2. EasyLock Software for TrustedDevices Level 1

EasyLock allows portable devices to be identified as TrustedDevices and protects
data on the device with government-approved 256bit AES CBC-mode encryption.
With the intuitive Drag & Drop interface, files can be quickly copied to and from
the device.

To install EasyLock on an USB Flash drive one has to copy the file "EasyLock.exe"
to the root folder of a partition associated with that device.

Managing TrustedDevices from EPP server console

Access to TrustedDevices can be configured from the Global Rights module of

Endpoint Protector 2009, under Rights tab.

Access the drop-down box next to USB Storage Device and select the desired
level of TrustedDevices you wish to grant access to.

More information about EasyLock:

http://www.endpointprotector.com/en/index.php/products/easylock
113 | Endpoint Protector | User Manual
114 | Endpoint Protector | User Manual

14. Endpoint Protector Client

The Endpoint Protector Client is the application which once installed on the client
Computers (PC‟s), communicates with the Endpoint Protector Server and blocks
or allows devices to function, as well as sends out notifications in case of
unauthorized access.

14.1. Endpoint Protector Client Security

The Endpoint Protector Client has a built in security system which makes
stopping the service nearly impossible.

This mechanism has been implemented to prevent the circumvention of security

measures enforced by then network administrator.

14.2. Client Notifications (Notifier)

The Endpoint Protector Client, depending in the mode it is currently running on,
will display a notification from the taskbar icon when an unauthorized device is
connected to the system. Not only does it log any attempts to forcefully access
to system, it can also trigger the system‟s Panic mode.
115 | Endpoint Protector | User Manual

14.3. Offline Functionality for Endpoint Protector

Client
Depending on the global settings the Endpoint Protector Client will store a local
file tracing history and a local file shadow history that will be submitted and
synchronized with the Endpoint Protector Server upon next connection to the
network.

14.4. DHCP / Manual IP address

Endpoint Protector Client automatically recognizes changes in the network‟s
configuration and updates settings accordingly, meaning that you can keep your
laptop protected at the office (DHCP) and at home(Manual IP address) too
without having to reinstall the client or modify any changes.

14.5. Client Removal

14.5.1. Client Removal on Windows OS

The Endpoint Protector Client cannot be uninstalled without specifying the
password set by the administrator(s) in the Reporting and Administration Tool.

To use this password-protect feature, please consult the paragraph 9.6 “System
Security / Client Uninstall Protection”.

The password sent by the Endpoint Protector Server is hashed and stored in the
registry. If it is deleted, the uninstall process will instantly stop. Tampering with
the registry value of the hash will lead to an irremovable client.
116 | Endpoint Protector | User Manual

14.5.2. Client removal on MAC OS X

To remove the Endpoint Protector Client you need to run (double click in Finder)
the "remove-epp.command" file that was attached to the "Endpoint Protector"
client package that you downloaded.

You will be prompted to enter the root password to perform administrative tasks.
117 | Endpoint Protector | User Manual

15. Installing Root Certificate

to your Internet Browser

15.1. For Microsoft Internet Explorer

Open Endpoint Protector Administration and Reporting Tool IP address. (Your
Appliance static IP Address, example https://192.168.0.201).

If there is no certificate in your browser, you will be prompted with Certificate

Error page like the screenshot below.

Continue your navigation by clicking “Continue to this website (not

recommended)”.
118 | Endpoint Protector | User Manual

Now, go to the Certificate file you downloaded from the Appliance Setup Wizard-
>Appliance Server Certificate-> and install the Certificate.

Click the Certificate Error button just next to the IE address bar as shown.

By clicking the “Certificate Error” button, a pop-up window appears. Just click the
“View certificates” in that pop-up window.

Another pop-up Certificate window will appear with three tabs namely “General”,
“Details” and “Certification Path”.

Select the “General” tab and then click “Install Certificate...” button as shown
above.
119 | Endpoint Protector | User Manual

Another Welcome to the Certificate Import Wizard pops up. Just click the Next
button.
120 | Endpoint Protector | User Manual

In Certificate Import Wizard window, select “Place all certificates in the following
store” radio button.

Click “Browse” button.

From the browser list, select “Trusted Root Certification Authorities”.

Then click the “Next” button.

121 | Endpoint Protector | User Manual

Another “Completing the Certificate Import Wizard” pops up. Just click the
“Finish” button.
122 | Endpoint Protector | User Manual

Security Warning window pops up. Just click “Yes”.

You have now successfully installed the Certificate.

Close the Internet Explorer browser and try to access the Endpoint Protector
Administration and Reporting Tool IP address again.
123 | Endpoint Protector | User Manual

15.2. For Mozilla Firefox

Open the Browser.

Open Endpoint Protector Administration and Reporting Tool IP address. (Your

Appliance static IP Address, example https://192.168.0.201).

From the above screenshot This Connection is Untrusted, choose I Understand

the Risks. Click Add Exception.

Security Warning window pops up.

124 | Endpoint Protector | User Manual

Just click Get Certificate button and then the Confirm Security Exception button.

Close the browser and start it again.

125 | Endpoint Protector | User Manual

16. Terms and Definitions

Here you can find a list of terms and definitions that are encountered throughout
the user manual.

16.1. Server Related

Appliance – Appliance refers to the Endpoint Protector Appliance which is running
the Endpoint Protector Server, Operating System, Databases, etc.

Computers – refers to PC‟s, workstations, thin clients, notebooks which have

Endpoint Protector Client installed.

File Tracing - this feature will track all data that was copied to and from prior
authorized portable storage devices.

File Shadowing – this feature saves a copy of all, even deleted files that were
used in connection with controlled devices on a network storage server.

Devices – refers to a list of known portable storage devices, ranging from USB
storage devices to digital cameras, LTP storage devices and biometric devices.

Groups – can be groups of devices, users or computers. Grouping any of these

items will significantly help the server administrators to easily manage rights and
settings for them.
126 | Endpoint Protector | User Manual

16.2. Client Related

Endpoint – can be a Personal Computer, a Workstation you use at the office or a
Notebook. An endpoint can call and be called. It generates and terminates the
information stream.

TrustedDevices – portable storage devices that carry a seal of approval from the
Endpoint Protector Server and can be utilized according to their level (1-4). For
more information please see “Enforced Encryption with TrustedDevices” section.

Client - refers to the client user who is logged in on a computer and who
facilitates the transaction of data.

Rights – applies to computers, devices, groups, users and global rights; it stands
for privileges that any of these items may or may not possess.

Online computers – refers to PC‟s, Workstations and/or Notebooks which have

Endpoint Protector Client installed and are currently running and are connected
to the Endpoint Protector server.

Connected devices – are devices which are connected to online computers.

Events – are a list of actions that hold major significance in Endpoint Protector.
There are currently 17 events that are monitored by Endpoint Protector:

 Connected – the action of connecting a device to a computer running

Endpoint Protector Client.

 Disconnected – the action of (safely) removing a device from a computer

running Endpoint Protector Client.

 Enabled – refers to devices; the action of allowing a device access on the

specified computer(s), group(s) or under the specified user(s).

 Disabled – refers to devices; the action of removing all rights from the
device, making it inaccessible and therefore unusable.

 File read - a file located on a portable device was opened by a user or the
file was automatically opened if the portable device was autorun by the
operating system.

 File write – a file was copied onto a portable device.

 File read-write – a file located on a portable device was opened and

edited; changes were saved to the file.

 File renamed – a file located on a portable device has been renamed.

127 | Endpoint Protector | User Manual

 File delete – a file located on a portable device has been deleted.

 Device TD – means that a device is registered as a TrustedDevice and has

access to files accordingly

 Device not TD – means that a device is not trusted and does not have
automatic access to files

 Delete – refers to computers, users, groups, alerts and devices; the action
of removing any of these items from the list

 Enable read-only – refers to devices; the action of allowing access to

devices but disabling the ability to write on them. User(s) can copy files
from device(s) but cannot write anything onto the device.

 Enable if TD Level 1-4 – refers to TrustedDevices; grants the device access

if the device is a level one, two, three or four TrustedDevice.

 Offline Temporary Password used – refers to computers, the action of

temporarily allowing access to a specific device on a certain client
computer.
128 | Endpoint Protector | User Manual

17. Support

In case additional help, such as the FAQs or e-mail support is required, please
visit our support website directly at http://www.cososys.com/help.html.

One of our team members will contact you in the shortest time possible.

Even if you do not have a problem but miss some feature or just want to leave
us general comment we would love to hear from you. Your input is much
appreciated and we welcome any input to make computing with portable devices
safe and convenient.
129 | Endpoint Protector | User Manual

18. Important Notice /

Disclaimer

Security safeguards, by their nature, are capable of circumvention. CoSoSys

cannot, and does not, guarantee that data or devices will not be accessed by
unauthorized persons, and CoSoSys disclaims any warranties to that effect to the
fullest extent permitted by law.

© 2004 – 2010 CoSoSys Ltd.; Endpoint Protector Basic, EPPBasic, Endpoint Protector, My
Endpoint Protector are trademarks of CoSoSys Ltd. All rights reserved. Windows is
registered trademark of Microsoft Corporation. Macintosh, Mac OS X are trademarks of
Apple Corporation. All other names and trademarks are property of their respective
owners.