TYREX Workstation Protect Agent

A USB Security Agent For Endpoints and Workstations

Stop uncertified USB devices before they compromise your endpoints

The TYREX Workstation Protect Agent is an optional lightweight software agent to enforce certified-only USB access. It verifies that a TYREX Decontamination Station has scanned and certified removable media connected to workstations and industrial computers.

Extend USB Security to the Endpoint

TYREX Decontamination Stations secure the entry point. Workstation Protect Agent extends that control to the systems your business relies on.

Enforce at the Point of Use

The agent verifies that connected devices have been scanned and certified. Endpoints are prohibited from accessing the filesystems of uncertified devices.

Ensure Removable Device Compliance

Configure the agent to enforce your USB policies. Define which devices are permitted, how long certifications remain valid, and what happens when an uncertified device connects.

Block Security Workarounds

Without guardrails, vendors and employees choose convenience over security. The Workstation Protect Agent ensures USB security lapses don’t turn into major incidents.

Take Control of Every USB Port

Software-Based USB Access Control

The Workstation Protect Agent blocks any USB device that has not been scanned and certified by a TYREX station. It checks the embedded certificate on connection and disallows access unless the device has a valid certificate.

Cryptographically Verified USB Certificates

Every certified device carries a tamper-proof digital certificate. Administrators define expiration periods to ensure devices remain trusted for a limited time.

Online and Offline Deployment

The agent operates in connected or fully offline environments, making it suitable for air-gapped networks, OT environments, and industrial sites where network access is restricted.

Restrictive Deactivation via Security Token

Only a pre-authorized physical security token can temporarily deactivate the agent. Staff or contractors cannot bypass USB security policies without authorization.

Secure Whitelisting Controls

IT teams can whitelist file extensions or devices using their SHA256 identifiers. Whitelisting allows controlled exceptions without weakening USB security policies.

Add Endpoint Enforcement to Your USB Security Strategy

TYREX removable media security is trusted by 350+ organizations worldwide across energy, manufacturing, maritime, aerospace, and government sectors. Our decontamination stations protect over 5,000 public and commercial infrastructure locations.

Workstation Protect Agent Specifications

Deployment

Online or offline mode for air-gapped environments

Configuration

Configurable certificate validity period

Platform Compatibility

Windows XP SP2, 7, 8, and 10 (32-bit and 64-bit), Windows Server 2003 R2 and later
Linux CentOS 7 and later

Industry Certifications

ABB, Rockwell, Emerson, Schneider

TYREX USB Decontamination Stations for Any Scenario

A rugged, portable unit ideal for mobile teams.

A freestanding kiosk with a 22-inch display for high-traffic areas and self-service decontamination.

A desktop decontamination station for offices and standard workplaces.

For secure outbound data transfers to external parties.

Frequently Asked Questions

Is the Workstation Protect Agent an essential component of the TYREX system?

No. The agent is an optional component. TYREX Decontamination Stations provide full scanning and USB sanitization on their own. The agent adds endpoint enforcement for organizations that want to ensure certified-only access at the workstation level, but many TYREX customers operate successfully without it.

How does the agent know that a device has been decontaminated?

When a TYREX station scans and decontaminates a device, it can optionally write a tamper-proof digital certificate to the device. The agent checks for this certificate when the device connects. If the certificate is missing, invalid, or expired, the device is blocked.

How does the agent handle devices that need to bypass the decontamination process?

IT administrators can whitelist trusted hardware without disabling protection across the environment. Temporary agent deactivation is also possible, but requires a physical security token to prevent unauthorized bypasses.

What if we can't install software on our endpoints?

The TYREX Hardware Agent is a hardware alternative for environments where the Workstation Protect Agent software agent cannot be deployed. Developed in partnership with SecLab, it is a bidirectional security gateway that acts as a protocol break between the USB device and your network. It requires no software installation, making it ideal for legacy systems, locked-down industrial endpoints, and environments where endpoint software changes require lengthy approval processes.

Can we add the agent to an existing TYREX deployment?

Yes. The agent is designed to work with your existing TYREX stations and Management Server. Organizations that start with stations alone often add endpoint enforcement later as their security requirements mature or as they expand into more sensitive environments.

Will the agent work in environments with no network connectivity?

Yes. The agent can operate in fully offline mode for air-gapped networks, OT environments, and industrial sites where network access is restricted or prohibited. Certificate validation happens locally on the endpoint.

Secure Your Spaces from USB Threats

Ships, submarines, secure meeting rooms, and remote facilities all face USB security challenges, often with limited space for security infrastructure. Schedule a call with our team to discuss how the TYREX SATELLITE addresses your requirements for compact, wall-mounted USB decontamination.