Enable and Configure DLP (Data Leak Prevention)

DLP Functionality:

  • Prevent Bluetooth device connections;
  • Configurable blocking of USB flash drives and external hard drives;
  • Block devices connected via MTP protocol (e.g., smartphones, cameras, media players);
  • Disable writing to CD/DVD drives;
  • Prevent unauthorized modification or removal of the StaffCounter Agent;
  • Controlled blocking of file uploads to external resources;
  • Restrict access to shared folders on the local network;
  • Block downloading and execution of applications from the internet or external devices.

How to Enable Security Features

After registering on our server and installing the StaffCounter Agent, open the Settings page and scroll down to the DLP section.

DLP settings in StaffCounter

Configuration

Disable Access to Bluetooth Devices

Enable the option “Disable sending files by Bluetooth”.
Once enabled, data transfer to and from Bluetooth devices will be blocked.

Customizable Access to USB Drives

Use the field Control USB flash drives and HDD by serial number to create access rules based on a device’s serial number (SN), Vendor ID (VID), and Product ID (PID).
To find these values, use the ChipGenius utility.

Rule Format:
VID:PID:SN=''/r/w

  • The * symbol means “any” — useful when the serial number alone is sufficient for identification.
  • An empty value after = means no access (read, write, or format) is allowed.

Examples:
*:*:SN=rw — Allow read and write access only for the specified serial number.
*:*:SN=r — Allow reading only; writing is blocked.
*:*:*= — Block all actions for all devices.
*:*:*=r — Allow reading for all devices, block writing.
*:*:*=rw — Allow full access to all devices (no restrictions).
Note: The r (read-only) mode does not prevent file deletion or formatting. Use with caution.

Block Devices Connected via MTP Protocol

Enable the option “Block access to smartphones and cameras connected by USB”.
This prevents data transfer to devices such as phones, cameras, and media players connected via USB. These devices will not be accessible for reading or writing.

Disable Writing to CD/DVD Drives

Enable the “Disable write files to DVD recorder” option.
This blocks writing to CDs and DVDs, whether through File Explorer or dedicated burning software.

Controlled Blocking of File Uploads to External Resources

Enable “Disable uploading data with the following browsers”.
In the rules field, enter one or more supported browsers, separated by semicolons without spaces:

  • chrome – Google Chrome
  • explore – Internet Explorer / Microsoft Edge
  • firefox – Mozilla Firefox
  • skype – Skype (file transfer)

Example: chrome;explore;firefox;skype
File uploads through selected browsers will be blocked.

Prevent Access to Shared Folders on the Local Network

Enable the “Block access to all shared folders” option.
This prevents writing to shared folders on the local network (including FTP). Reading files remains allowed.

Block Downloading and Running Applications

Enable “Disable to download applications from the web”.
This feature blocks:

  • Downloading executable files from the internet;
  • Extracting installers from archives;
  • Installing new software.

It also prevents unauthorized removal of the StaffCounter Agent. To uninstall the program, you must first disable this protection.

Important Notes:

  1. Only users with access to the StaffCounter Control Panel can modify DLP settings. Regular users — even those with administrator rights — cannot change or disable these protections.
  2. Before uninstalling StaffCounter, you must disable DLP protection; otherwise, the uninstallation will be blocked.
  3. When installing the Agent on Windows 7 or Windows Server 2008, ensure the latest security updates are installed, including the patch referenced in the Microsoft Security Advisory.
  4. After enabling or disabling any DLP option, save the settings and restart the target computer for changes to take effect.