Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Is it possible to monitor which files are copied?

Created: 13 Jul 2012 • Updated: 13 Jul 2012 | 7 comments
diabolicus23's picture

Scenario: I'd like to monitor an infrastructure with SEP in order to know which files are copied (let me say, from hard drive to usb pendrive): is it possible to do that?

I know how to activate a policy in test mode in order to register when a user connect a pendrive to the pc but I only know how to block (or test) the copy of files to that device. I'd like to know "which" files the user tries to copy.

Please, tell me I have a possibility smiley

Thanks in advance

PS SEP 11, probabily the customer will migrate to SEP 12.1 in order to control also 64bit OS.

Comments 7 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

Check this Thread -  https://www-secure.symantec.com/connect/forums/usb-logging

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

consoleadmin's picture

Hi,

You can only get the information that which of the USB has been connected but not of that which of the data hs been copied.

This information is fullfilled in other symantec product. That is DLP.

This idea has already raised by someone hopefully it will be implemented

https://www-secure.symantec.com/connect/idea/files-written-usb-drives-detailed-log

Thanks.

diabolicus23's picture

Oh thanks.

I wonder that the option who says "log..." something in SEP console would feed my needs but I was wrong wink

Thanks a lot

SMLatCST's picture

This thread shows a few screenies on configuring an Application policy for the purpose of logging files copied to USB:

https://www-secure.symantec.com/connect/forums/log-writen-files-usb

There's also an old article on Symnatec about it, which used to contain a copy of a A&DC Policy including the "Log Files Written to USB" application rule (as below):

http://www.symantec.com/docs/TECH155578

I think they removed the policy download because such a rule was bundled into SEP at some point (RU6MP2 I think).  What version are you using?

#EDIT#

Just to clarify for all those nay-sayers, please see the attached screenie from an RU6MP2 SEPM Application Control policy for the rule to "Log Files written to USB".

Within the SEPM logs, you will see logs for any files that were written to USB drives.  These logs will contain the destination filename and path, plus which SEP Client (machine name) performed the writing.  What you don't have, is the source file name, file shadowing capabilities and the like.

What info do you need exactly?

A&DCRU6MP2.JPG
Ajit Jha's picture

What you are Talking about is Copying any data from you Hard Drive to USB or any External Media. For such Solutions Symantec Endpoint will Surely NOT Help you. You can Monitors the Devices being used, Block the Devices,etc

But to protect the Data you need Symantec Data Loss Solution.

http://www.symantec.com/theme.jsp?themeid=dlp-family

Regard's

Ajit Jha

Technical Consultant

ASC & STS

consoleadmin's picture

If your requirement fulfill then pls mark the valid comment as solution.

Thanks.