Endpoint Protection

 View Only

  • 1.  Logging USB writes

    Posted Jun 25, 2013 10:25 AM

    I've set an Application and Device Control policy as per http://www.symantec.com/business/support/index?page=content&id=TECH155578&profileURL=https%3A%2F%2Fsymaccount-profile.symantec.com%2FSSO%2Findex.jsp%3FssoID%3D137217002473140r33p6oX11aZir1gzIq2CMse3Bnv23631Z8M but I'm not seeing any logs at all (seems the same as https://www-secure.symantec.com/connect/forums/logging-usb-drive-writes)

    I've tested on a computer that has this policy applied, using multiple files/usb sticks, but nothing is showing in Monitor>Logs>Application and Device Control Logs>application Control

    Can anyone help with what might be missing?



  • 2.  RE: Logging USB writes

    Posted Jun 25, 2013 10:33 AM

    Did you check the client to see if any logs are generated on it?

    If so, is the option to upload the Control log to the SEPM checked?



  • 3.  RE: Logging USB writes

    Posted Jun 25, 2013 10:52 AM

    Thanks for getting back so quickly Brian81

    I cant see any logs in the client apart from policy applied etc in the client mgmt>system log (control and security logs are empty on the client). There are some logs in the virus/spyware protection logs as well, but for eg scheduled scans. Should it log on the client as well? I'm looking for logs on the server for all clients.

    Thanks again,



  • 4.  RE: Logging USB writes

    Posted Jun 25, 2013 10:54 AM

    Yes, you should see these logs on the client as well. Check the Control log on the client.

    If they're empty on the client than something is not right, did you confirm the client has the same policy as what's showing in the SEPM?



  • 5.  RE: Logging USB writes

    Posted Jun 25, 2013 01:57 PM

    Was logging enabled?

    how to use symantec endpoint protection (SEP) to monitor the USB device activite

     
     
    can you insert usb, disable and enable it under device manager and try again.


  • 6.  RE: Logging USB writes

    Posted Jun 26, 2013 04:45 AM

    Thanks for the suggestions,

    The only place logging was enabled was in the policy "Enable Logging" next to "Rule Set Name" in the Application Control Rule set, but there are no logs re usb writes in the client that I can see. Is there somewhere else that could disable logging? Is there a way to open the client with no restrictions (tried running as admin) in case some logs are hidden?

    Client MGMT:

    * Control Log: Empty

    * Security Log: Empty

    * System Log: A lot of informational logs like "Downloading new content from GUP", "Update for xxxxxx was successfully installed"

    There dont seem to be any usb logs. Ive tried to eject/reinsert/re-copy files, but still no logs.