Device control reporting, logging and controls broken, help file incorrect
Currently at SEPM and SEP 12.xx RU2 MP1. All computers, clients and servers running this same version 12.1.2015.2015
SEPM and database working, SQL database on distinct SQL server.
In SEP version 11 series, I could use app and device control, and I could block all usb storage, exclude just a small handful, and tell SEP to log all blocked devices.
Further, I could go into the SEPM console, choose monitors tab on the left, then choose the notification tab from the top, then notification conditions and tell SEP to send me an email if and when someone attempted to use a blocked device.
Purring happily along like a well fed cat, SEP would send me an email every week or so, whenever someone plugged in their WalMart thumbdrive with the the free apps they downloaded over the weekend at home on their unprotected computer. It blocked the device, it logged the BLOCKED device, and it sent me an email. Better yet, I set up the reports so that each month the boss got an email report of the blocked devices for that month. Life was good, SEP was cool, alerts worked, and my Outlook inbox didnt' grow by much.
Then along comes 12.xxxx. I think great, 12 has neat new stuff, so upgraded to 12.
Within hours I realized my inbox was filling with humungous emails some running several meg in size - telling me of all the DETECTED devices SEP had found. I'm not talking about the 1 every week or so, or the 3 or 4 a month, I'm talking an email every hour, big, every device SEP saw every single time anyone here started one of the 370 computers SEP sits on. Holy cow. I had to turn off the notifications to keep from being told my Exchange account was filling the central Exchange server storage.
With v 12.xxx, we lost the ability to know when someone was naughty and broke the rules by plugging in their cool lime green USB thumbdrive, I had to tell the boss, sorry, no more monthly reports, and sorry boss, I can't honestly tell you how many have plugged in such devices, and I can't tell you WHO did it.
Someone thought it would be better to change SEP so that it told of all detected devices.
......do they know how many devices SEP sees when a computer is rebooted/restarted or turned on? Hard drives, CD or DVD, every device not blocked was being reported on each restart.T
Here's an indication that suggests that few really knew this was happening (besides the fact that even tech support didn't realize it) I find that the documentation or help file is wrong....see screenshots below - help says "log blocked devices".
The device control policy screen itself says log DETECTED devices, which is what it now does since 12 came out. 11 used to allow me to check that box and log - and thus REPORT or notify on blocked devices.
Someone far smarter than I (they think) changed it to log ALL detected devices.
I try to filter on blocked - but the logs show even ALLOWED devices as "Device control disabled device" in that column - even allowed devices.
SEP no longer differentiates between allowed and disabled so of course reports and logs and alerts/notifications are worthless - toally worthless.
As promised, the screenshots. Note the help file from the current, very current SEP - see what is says and how it states it - this is how SEP 11 worked, and how we WANT it to work, how it works best for the customer wanting to track rogue devices:
And here we have the reality - note the wording here......... "Log detected devices"
it used to be you checked this to log blocked (disabled) devices. Devices SEP killed because you told it to.
Why would anyone running 370 + computers want to log all devices SEP ever saw on each and every startup or restart?
Now before anyone jumps in and says "gee, Bill, don't you know you can simply filter this - specific disabled devices or run a report on disabled devices"?
No, you cannot - Symantec broke THAT part too! Please - take a close look at this one - please note I have this report filtered - I told it to report only DISABLED or blocked devices - and it shows me every device SEP has seen for this time period - all of them ALLOWED!
Floppy disk controller? who cares!
Mouse - who cares?
The list goes on - all allowed devices, and yet the filter (see - applied filters is 2) is set to show event type BLOCKED or disabled.
So, in summary:
Symantec broke one of the nice features of SEP when they released SEP 12 series. This all worked not just well, but beautifilly. SEP 11 was the reason we dropped SafeEnd completely - with SEP, who needed it? SEP could block, allow, report or notify on blocked or disabled devices, send me an email, and generate a monthly report for the boss.
Symantec broke the notifications - I want an email notification when someone plugs in their Micky Mouse thumbdrive loaded with fun screensavers they got free. Now I get an email that is 6 or 10 meg in size telling me of every device seen in the last hour.
Symantec has got the help file wrong - and the only check box is to "log detected devices" where it used to be log disabled devices. The help and product matched. The help shows the proper way - the way I bet every customer wants it to be again, while SEP in reality has no ability to log or alert disabled devices, only "detected devices", which includes a mouse, keyboard, floppy controller, DVD drive, and other devices.
I am very curious - why did someone think we wanted a list of all devices seen whenever a computer was turned on or restarted? Why was it decided I wanted a 10 meg email every hour that told me of all the detected devices in the agency, instead of a rare email telling me who broke the rules?