Endpoint Protection

 View Only

  • 1.  Can you use SEP 12.1 RU2 to identify the specifics on a USB Drive?

    Posted Feb 05, 2013 11:45 AM

    Bascially we are a global company and we have a problem with users bringing in their own USB devices.  From the trends in our Risk data its been proven that the majority of our infections come from USB Devices.  We attempted previously in SEP 11 RU6 MP2 to establish an Application and Control Policy that would allow us to block all USB Devices except for company issued ones based on the Device ID but due to problems with the policy we were never able to make it work successfully.  From reading a recent article it looks like they've resolved this issue in versions 11 RU7 MP3 and newer.  So here's my question.

     

    Does SEP 12.1 RU2 have the ability to report details of USB Devices to SEP?  Primarily provide the Device ID of the USB Drive when it detects malicious files on a USB drive? 

     

    I was thinking if this is possible I can slowly build a list that will essentially knock out about a million infections a month.

     

     



  • 2.  RE: Can you use SEP 12.1 RU2 to identify the specifics on a USB Drive?

    Posted Feb 05, 2013 11:58 AM

    if you have the proper rule in place it should give you detailed info but the product that can do all this is Endpoint Encryption - Device Control

    What you can do from the logs

    Article:HOWTO81161  |  Created: 2012-10-24  |  Updated: 2013-01-30  |  Article URL http://www.symantec.com/docs/HOWTO81161

     

    The Application Control log and the Device Control log contain information about events where some type of behavior was blocked.

    The following Application and Device Control logs are available:

    • Application Control, which includes information about Tamper Protection

    • Device Control

    Available information includes the time the event occurred, the action taken, and the domain and computer that were involved. It also includes the user that was involved, the severity, the rule that was involved, the caller process, and the target.

    You can create an application control or Tamper Protection exception from the Application Control log.

    See Specifying how Symantec Endpoint Protection handles monitored applications.



  • 3.  RE: Can you use SEP 12.1 RU2 to identify the specifics on a USB Drive?
    Best Answer

    Posted Feb 05, 2013 12:02 PM

    Soooo in 12.1, the Device Control part of the policy has changed the little checkbox at the bottom to "Log Detected Devices" rather than "Log Blocked Devices".

    You would have to use these logs in conjunction with the Risk logs to find the device ID I'm afraid.  The Risk logs will only show the file path from what I recall.



  • 4.  RE: Can you use SEP 12.1 RU2 to identify the specifics on a USB Drive?

    Broadcom Employee
    Posted Feb 05, 2013 12:05 PM
    block all the USM and exclude only company allowed thats the best step to go ahead with.


  • 5.  RE: Can you use SEP 12.1 RU2 to identify the specifics on a USB Drive?

    Posted Feb 05, 2013 12:36 PM

    This is exactly what I was looking for.  I will go give it a try.

    Thanks!