Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Device control reporting, logging and controls broken, help file incorrect

Created: 08 May 2013 | 5 comments

Currently at SEPM and SEP 12.xx RU2 MP1. All computers, clients and servers running this same version 12.1.2015.2015
SEPM and database working, SQL database on distinct SQL server.
In SEP version 11 series, I could use app and device control, and I could block all usb storage, exclude just a small handful, and tell SEP to log all blocked devices.
Further, I could go into the SEPM console, choose monitors tab on the left, then choose the notification tab from the top, then notification conditions and tell SEP to send me an email if and when someone attempted to use a blocked device.
Purring happily along like a well fed cat, SEP would send me an email every week or so, whenever someone plugged in their WalMart thumbdrive with the the free apps they downloaded over the weekend at home on their unprotected computer. It blocked the device, it logged the BLOCKED device, and it sent me an email. Better yet, I set up the reports so that each month the boss got an email report of the blocked devices for that month. Life was good, SEP was cool, alerts worked, and my Outlook inbox didnt' grow by much.

Then along comes 12.xxxx. I think great, 12 has neat new stuff, so upgraded to 12.
Within hours I realized my inbox was filling with humungous emails some running several meg in size - telling me of all the DETECTED devices SEP had found. I'm not talking about the 1 every week or so, or the 3 or 4 a month, I'm talking an email every hour, big, every device SEP saw every single time anyone here started one of the 370 computers SEP sits on. Holy cow. I had to turn off the notifications to keep from being told my Exchange account was filling the central Exchange server storage.

With v 12.xxx, we lost the ability to know when someone was naughty and broke the rules by plugging in their cool lime green USB thumbdrive, I had to tell the boss, sorry, no more monthly reports, and sorry boss, I can't honestly tell you how many have plugged in such devices, and I can't tell you WHO did it.

Someone thought it would be better to change SEP so that it told of all detected devices.
......do they know how many devices SEP sees when a computer is rebooted/restarted or turned on? Hard drives, CD or DVD, every device not blocked was being reported on each restart.T

Here's an indication that suggests that few really knew this was happening (besides the fact that even tech support didn't realize it)  I find that the documentation or help file is wrong....see screenshots below - help says "log blocked devices".

The device control policy screen itself says log DETECTED devices, which is what it now does since 12 came out. 11 used to allow me to check that box and log - and thus REPORT or notify on blocked devices.
Someone far smarter than I (they think) changed it to log ALL detected devices.

I try to filter on blocked - but the logs show even ALLOWED devices as "Device control disabled device" in that column - even allowed devices.
SEP no longer differentiates between allowed and disabled so of course reports and logs and alerts/notifications are worthless - toally worthless.
As promised, the screenshots. Note the help file from the current, very current SEP - see what is says and how it states it - this is how SEP 11 worked, and how we WANT it to work, how it works best for the customer wanting to track rogue devices:

blocked-devices-help.jpg

 

And here we have the reality - note the wording here......... "Log detected devices" 
it used to be you checked this to log blocked (disabled) devices. Devices SEP killed because you told it to.
Why would anyone running 370 + computers want to log all devices SEP ever saw on each and every startup or restart?

sepm-log-issues-2.png

Now before anyone jumps in and says "gee, Bill, don't you know you can simply filter this - specific disabled devices or run a report on disabled devices"?
No, you cannot - Symantec broke THAT part too! Please - take a close look at this one - please note I have this report filtered - I told it to report only DISABLED or blocked devices - and it shows me every device SEP has seen for this time period - all of them ALLOWED!

Floppy disk controller? who cares!
Mouse - who cares?
The list goes on - all allowed devices, and yet the filter (see - applied filters is 2) is set to show event type BLOCKED or disabled.

sepm-log-issues-3.png

 

So, in summary:

Symantec broke one of the nice features of SEP when they released SEP 12 series. This all worked not just well, but beautifilly. SEP 11 was the reason we dropped SafeEnd completely - with SEP, who needed it? SEP could block, allow, report or notify on blocked or disabled devices, send me an email, and generate a monthly report for the boss.

Symantec broke the notifications - I want an email notification when someone plugs in their Micky Mouse thumbdrive loaded with fun screensavers they got free. Now I get an email that is 6 or 10 meg in size telling me of every device seen in the last hour.

Symantec has got the help file wrong - and the only check box is to "log detected devices" where it used to be log disabled devices. The help and product matched. The help shows the proper way - the way I bet every customer wants it to be again, while SEP in reality has no ability to log or alert disabled devices, only "detected devices", which includes a mouse, keyboard, floppy controller, DVD drive, and other devices.

I am very curious - why did someone think we wanted a list of all devices seen whenever a computer was turned on or restarted? Why was it decided I wanted a 10 meg email every hour that told me of all the detected devices in the agency, instead of a rare email telling me who broke the rules?
 

 

 
 

Operating Systems:

Comments 5 CommentsJump to latest comment

TORB's picture

Just out of curiosity. I have not tested this myself.

Can you try unchecking the "Log detected devices" and plug in a unwanted device.

Wouldn't it still log the blocked device? That would make sense as there is really no reason to block a device, if you don't want  to log it. Meaning that it default log the blocked devices and the "log detected devices" is just for mr paranoid.

(And you are ofcourse right, the manual is wrong,)

 

Torb

 

 

 

 

 

 

ShadowsPapa's picture

>>Can you try unchecking the "Log detected devices" and plug in a unwanted device.

Wouldn't it still log the blocked device?<<  It would log - but won't notify just blocked. And since it was the notifications that fully broke, I don't sit and watch logs to see if there's a blocked device in the group.

If you do check that box, it logs ALL devices. It used to match all of the other policy areas - you had to check a box to get it to log blocked devices. Some folks want to block, but don't want the logs filled with blocked devices. So the option was to log blocked devices, otherwise just quietly block them and don't bother logging. Check out the app control, FIREWALL, intrusion detection, etc.  -you can optionally log, otherwise, say, in the firewall, you can have things blocked, but don't log them. That's how device control used to be. Some folks want to quietly block, but don't log.
Since SEP puts even allowed devices in the logs with a n Event Type of "disabled device" the logs are a mess.
 So how do you sort through hundreds of entries and find the blocked or disabled devices? You can't - not easily - you have to read every single entry detail to find the blocked or disabled devices. Why would you want to log floppy controllers, DVD drives, hard drives, keyboards, mice, sound devices, etc.? When they are normal and expected? Paranoid doesn't fit that - there is no bloody use of logging all normal computer devices. You KNOW they are there. You KNOW the computer has a floppy controller, you know it has a mouse and keyboard, you know it has a DVD drive. So why log that?

Worse- the box or setting below that is worthless, too - I want to notify users when a device is BLOCKED, but that box says "notify users when a device is blocked or unblocked". 
Stick with "notify when BLOCKED" - get rid of the notify when unblocked or allowed. They expect things to be allowed. And telling them "hey, your DVD was allowed" is just confusing things.
If a device is excluded, they get TWO notices - one when it's blocked because it is a USB storage device, and another when it is unblocked as SEP sees it in the excluded devices list. So, that, too, is worthless and absolutely not logical.
They need to put it all back to how it was when 11 was around. Make it so that the instructions make sense, make it so that users are notified ONLY if their device is blocked (as I want to hit them with a "you know better than that, we're logging this" message)
Make the choices "Log blocked devices" or if that's what they REALLY mean, then it should STATE that. As is typical, however, the instructions and manuals are very lacking. They don't explain what things are for - just that "you can check or uncheck this box". So the instructions need to explain explicitly what happens if I DO check this box? What happens if I do NOT check that box? Will it log xxx devices if I don't check it?  And let me "notifiy users of BLOCKED devices - and explain "user receives warning in event a device is BLOCKED, but no warning otherwise."
But like I said - SEP 11 made total sense, it just plain WORKED.

I had a support case open on this - the fellow was very very good, he tried really hard, I got personal service, I felt, but alas, no matter what he/we tried, I could not get SEP to email me a notice when a blocked device was found. It only sent notices when A device was found - and then each subsequent email included all prior email events! So if someone started a computer and SEP saw 4 devices (none of which were blocked, all were normal and allowed) I got an email. An hour later I got another email with info about a different computer being turned on, AND it also included the info from the FIRST one. Size increased... an hour after that I would get another email with new info, and the prior, AND the first info too!

In the end some of the emails were 10 meg in size! That's almost large enough to trigger email blocking here!!

So support had me modify one of the SEPM files to not display the allowed stuff in reports. I still got the emails, they were just EMPTY reports! So now every hour I'm getting an email of devices - allowed, but since they filtered out the allowed devices somehow, the email contained a report with no entries in it. I'd come in after a weekend to 50+ emails all with empty reports. I had to fully disable notifications.

Here we sit - not knowing if SEP is blockedin devices or not, no notifications if someone tries to insert a device and STEAL data, and no monthly reports for the boss.

Just put it back to the way it was in SEP 11 please. Don't try to improve what is already perfecf, and the device control parts of SEP 11 were so perfect, there was no possible way to make them better, however, there was obviously a way to BREAK IT. And that has been proven by SEP 12.

In short it all worked perfectly, the help matched reality, reports and notificaitons were perfect - blocked devices only, and it was simple to configure as it was very intuitive in SEP 11. When we upgraded, it all broke. I made no changes, didn't uncheck or check anything kept the same notifications, same reports, same rules and policies, but when I put in SEP and SEPM12, it broke. So it wasn't me - it was SEP.

 

flutti's picture

Hello ShadowsPapa

I am currently encountering the same issue. It is just terrible ever since all the devices (no matter if allowed or blocked) are getting logged.

Did you ever find a way to get around this annoying issue?

Cheers
Fab

ShadowsPapa's picture

No, this is still not working as it did in 11. Still unable to receive any reports of blocked devices.

So I guess in summary, this is still broken, even several iterations into v12, they apparently don't deem this as a worthwhile feature of SEP, and view that customers have no use for reports on blocked devices. Engineers need to spend some time in our world.................... spend a day with me and I almost guarantee there'd be some "fixes" or changes in the next release  surprise  smiley

Worse, I get to ADD to this problem another introduced with the latest version, 12.1.3
I now receive emails with this topic:     Risk Outbreak by Number of Attacked Computers
BUT, when  I open the email, this is the content "noting to report" however it states that there were 2 found!
Yet another alert that's worthless after an update. Pretty cool, I have to go in and disable or delete or reconfigure alerts after each upgrade or update, and in this case, now there's at least a couple that I have to remove. I can no longer use SEP to report on blocked devices, and I can no longer get email alerts for "outbreaks". Soon we may as well simply shut off any reporting or logging at all.

 

How cool is this? Another one messed up.............
                    outbreak-alert.png

 

flutti's picture

Oh well ... This is not really what I wanted to hear ;)

I think it's a shame because this was one of the key points - as you already mentioned in one of your posts as well - to use SEP11 back in 2009-ish. Internal security is ever since used to have a simple, easy way seeing blocked devices - isn't this what reports are all about essentially?

Really (and I dont like to call it like this, but it's the truth) kinda worthless now in a ceratin way. I sincerely don't want to have logs flooded with absolute nonsense of allowed devices and having to create some kind of primitive workflow to get things right again. Big disappointmend.

Luckily I don't use the second report you mentioned in your post just above, but it reflects my experiences with SEP12 reporting: It's a complete mess. Back to stone age.