Video Screencast Help

Can you use SEP 12.1 RU2 to identify the specifics on a USB Drive?

Created: 05 Feb 2013 • Updated: 05 Feb 2013 | 4 comments
This issue has been solved. See solution.

Bascially we are a global company and we have a problem with users bringing in their own USB devices.  From the trends in our Risk data its been proven that the majority of our infections come from USB Devices.  We attempted previously in SEP 11 RU6 MP2 to establish an Application and Control Policy that would allow us to block all USB Devices except for company issued ones based on the Device ID but due to problems with the policy we were never able to make it work successfully.  From reading a recent article it looks like they've resolved this issue in versions 11 RU7 MP3 and newer.  So here's my question.

Does SEP 12.1 RU2 have the ability to report details of USB Devices to SEP?  Primarily provide the Device ID of the USB Drive when it detects malicious files on a USB drive? 

I was thinking if this is possible I can slowly build a list that will essentially knock out about a million infections a month.

Comments 4 CommentsJump to latest comment

ᗺrian's picture

if you have the proper rule in place it should give you detailed info but the product that can do all this is Endpoint Encryption - Device Control

What you can do from the logs

padding: 1px;padding-bottom: 3px ;font: 12px Arial; text-align: left;color: #666666; background-color:#f2f2f2">Article:HOWTO81161 padding: 1px;font: 12px Arial; text-align: left;color: #666666;background-color:#f2f2f2;"> |  padding: 0px;font: 12px Arial; text-align: left;color: #666666;background-color:#f2f2f2;">Created: 2012-10-24 padding: 1px;font: 12px Arial; text-align: left;color: #666666;background-color:#f2f2f2"> |  padding: 1px;font: 12px Arial; text-align: left;color: #666666;background-color:#f2f2f2">Updated: 2013-01-30 padding: 1px;font: 12px Arial; text-align: left;color: #666666;background-color:#f2f2f2"> |  padding: 1px;font: 12px Arial; text-align: left;color: #666666;background-color:#f2f2f2">Article URL

The Application Control log and the Device Control log contain information about events where some type of behavior was blocked.

The following Application and Device Control logs are available:

  • Application Control, which includes information about Tamper Protection

  • Device Control

Available information includes the time the event occurred, the action taken, and the domain and computer that were involved. It also includes the user that was involved, the severity, the rule that was involved, the caller process, and the target.

You can create an application control or Tamper Protection exception from the Application Control log.

See Specifying how Symantec Endpoint Protection handles monitored applications.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SMLatCST's picture

Soooo in 12.1, the Device Control part of the policy has changed the little checkbox at the bottom to "Log Detected Devices" rather than "Log Blocked Devices".

You would have to use these logs in conjunction with the Risk logs to find the device ID I'm afraid.  The Risk logs will only show the file path from what I recall.

SEP_FMI's picture

This is exactly what I was looking for.  I will go give it a try.


pete_4u2002's picture

block all the USM and exclude only company allowed thats the best step to go ahead with.