Windows Mobile devices protected by Symantec Mobile Security products: File Access Log Best Practice

Article:TECH191014  |  Created: 2012-06-14  |  Updated: 2013-02-07  |  Article URL http://www.symantec.com/docs/TECH191014
Article Type
Technical Solution


Issue



In case Windows Mobile smartphones containing sensitive data are lost or stolen, it is desirable to be able to see what files upon them have been accessed.  Using the Symantec Management Console (SMC) to administer Symantec Mobile Secureity 7.2 (SMS 7.2) or the legacy Symantec Endpoint Protection Mobile Edition 6 (SEPME 6) mobile devices, it is possible to do so.  

However, misconfiguring these settings will cause a great performance impact on devices.

 


Cause



If a device is lost or stolen, you can examine the File Access Log and analyze the risks to your organization’s information. The File Access Log provides a record of specified files that are accessed on the device. It can also be useful to help monitor activity on a device for any reason. 

The File Access Log is different from the event log , which provides a record of security-related events on the device. The File Access Log is uploaded to the server only when you specifically request it.  The lists of files created, modified, deleted and so on do not appear in the SMC management console for SMS 7.2 and SEPME 6: they must be decoded using a command-line tool and viewed individually.

You manage the File Access Log by creating a policy that enables the log and specifies the files and folders to watch.

 


Solution



Details on how to configure, retrieve, decrypt and read a File Access Log are are contained in Chapter 7, "Managing a lost or stolen device by using the File Access Log" of the Implementation Guide for Symantec Endpoint Protection, Mobile Edition and Symantec Network Access Control, Mobile Edition.

The mobile device will begin monitoring files as soon as it receives a policy that instructs it to do so.  (There is no need to launch any program manually on the device for file access logging to begin.)  Be sure to configure the policy and then assign it to the lost or stolen device, not to all devices!  

The syntax for configuring which files to monitor is:

(+)   to include a directory

(-)    to excluded a directory

The "(" and ")" are required: no log entries will be recorded without them.

For example, to monitor all file events in a Windows Mobile directory called \Secure:

(+)\Secure\*.*

It is possible to filter by file type.  For instance, if there are sensitive .doc files on the smartphone and it must be known when they are read, deleted, or copied:

(+)\*.doc

It is possible to combine the configurations with the character  ;

 (+)\Secure\*.*;(+)\*.doc

That example will look for any events in the \Secure directory, and any events that deal with .doc files in any directory.

Do remember that the file access log will need to be uploaded to the FTP server or to the Altiris Notification Server / Symantec Management Platform (NS/SMP), when the command is issued. Smaller files are much more likely to succeed.  Configure file access logging to monitor only for sensitive proprietary directories or file types that are on the device. 

One very important warning: trying to capture all file events in all directories on the device will cause a massive performance impact.  Mobile devices are designed with much less powerful CPUs and smaller hard drives than computers.  If the maximum size for this file access log is set high, then the device may even fill all available space with log entries and cease normal functioning!  Be very careful to configure the file access logging ONLY to monitor file directories or types that are likely to contain sensitive information, and not all interactions of every operating system event.  

 





Article URL http://www.symantec.com/docs/TECH191014


Terms of use for this information are found in Legal Notices