Endpoint Protection

 View Only

  • 1.  IE or Logging Information

    Posted Jul 23, 2009 11:14 AM
    I am in the need for some suggestions. I know there is a way for an executable or batch file to run after when a single alert event happens, under the notifications conditions area of SEPM. But would like to find a way to generate additional information.

    This is what I would like it to do.

    When an alert it triggered, SEP or some other application, grabs all the information that is needed to generate a report as to what the user was doing. For example key-logging and IE history. We have had issues in the past where users, lets say weren't doing their job, has completely denied any wrong doing while visiting sites that perhaps they shouldn't be visiting. They dump their cache and other things.

    In know there are packet and traffic logs available, but most of the time they are useless, especially if 24 hours or more have passed.


  • 2.  RE: IE or Logging Information

    Posted Jul 23, 2009 04:13 PM
    I think we can continue this discussion in the other duplicated discussion:
    https://www-secure.symantec.com/connect/forums/single-alert-event

    Regards,



  • 3.  RE: IE or Logging Information

    Posted Jul 23, 2009 04:24 PM
    SEP is a tool to protect endpoints from virus's and attacks. It is not set up to record and log user browser activity.

    Here is a good article on Web Browser Forensics, with links to some free and commercial tools.

    http://www.securityfocus.com/infocus/1827


  • 4.  RE: IE or Logging Information

    Posted Jul 23, 2009 04:58 PM
    So what would be the point of logging then? 

    SEP is an enterprise solution application that should have the ability to say, hey something just happened to the machine, lets figure out what just happened, what the computer was doing, where it was visiting, what application was running and present it in a fashion that is clear and relevant to a virus or attack on the machine.


  • 5.  RE: IE or Logging Information

    Posted Jul 23, 2009 05:51 PM
    I can see the benefits of logging every site that the endpoint visits. You should write this up and put it in the Ideas section. I know SEP 12 for Enterprise with be bigger and better, so maybe browser tracking could be included.


    Have you considered disabling the general page in IE? This way your users would not be able to clear the history. The only issue, is this only works with IE.imagebrowser image
    Thomas


  • 6.  RE: IE or Logging Information

    Posted Jul 24, 2009 09:29 AM
    I will speak with my IT manager about this, but just speaking off the top of my head, might not be an option. Sometimes we need to instruct them to clear their cookies as we do a lot of business with Monster.com and Careerbuilder.com and a cookie clearing sometimes fixes errors that the users experience while searching on their sites.

    Also, Tabbing in my opinion is a very personal preference. Some people love it some hate it. I was doing an application sharing with a users and they had 14 instances of IE open, I asked why and they said they didn't like tabbing. Don't know.