Endpoint Protection

Does anyone know if it's possible to create an Application & Device Rule that can log writing of files to removable Media ?

I've created a rule called Writing to Removable Media. I've apply all processes to this rule. I have then created a File and Folder Access Attempts condition, again using the * wildcard to show all files and folders and only to match files on te following drive types : CD/DVD , RAM , Removable drive.

I've told it to not apply to local or network drives.

Actions for Read & Create,Delete or Write attempts is to Continue processing other rules and Enable logging : Severity -- Critical -- 0


Would this be correct ? & also, where would I be able to check the logs to see what was copied ?

To be able to log the actions on the CD/DVD

SEPM

Clients > Application Control
There is already an rule set to block USB drives
You can create a new rule or just modify that.
Then you can add proccesses, you can have the option which drive this rule will be allowed assign the action

So, to answer your questions:
Yes, it is correct. And to check the logs:
Go to Monitors > Logs > Select the log type.

I know that cd writers could not be blocked since no feature is yet made...
but the burner is an apps that could be blocked..
get MD5 of all possible burner apps... if we can...

As far as I recall, some CD burners have installers that include plugins for MS Windows that allows the user to burn on the spot like if he was just copying files from rewritable media. You just have to click an extra icon to commit the changes.

Let me know what is the sep ver you are using.

In the new SEP MR4 ver this options are alread created like:
 
   1) Log files writing to removable drives.
  2) Disable autorun.inf from removable drives.
   3) Make Removable drives read-only.

You need to just enable the policy.