Video Screencast Help
Search Video Help Close Back
to help

Notification

Created: 16 Oct 2012 | Updated: 17 Oct 2012 | 4 comments
amitjain621's picture
amitjain621
0 0 Votes
Login to vote
This issue has been solved. See solution.

HI,

I want to reterive USB attach notification in sepm .

how to retrive this notification

 

Discussion Filed Under:
, , ,

Comments 4 CommentsJump to latest comment

Ashish-Sharma's picture
Ashish-Sharma
Notification - Comment:16 Oct 2012 : Link

log in to Symantec Endpoint Protection Manager Console /SEPM

2: click "Policies"-->click " Application and Device Control" under "View Policies"-->edit or create a new application policy-->click "Application Control" -->on the right panel , enable " Log Files written to USB drivers"

3: click edit button to edit  "Log Files written to USB drives" policy configuration

4: click "Log written to USB drives" under "Log written to USB drives" on the left panel

5: under "Properties" tag ,choose which USB device will be used for this policy, default is " *" which is mean all USB device will be applied with this settings.

6: under " Actions" , if you want to just record the creating, deleting or writing attempts of USB device, please click "enable logging" under "create, delete or write attempt". if you want to record reading attemp either, you need tick "ebable logging" under " read attempt"

7: click "OK" twice and then left click this policy and assign this policy to groups

how to view the record of USB activation?

1: log in SEPM

2: click "Monitor" on the SEPM left panel

3: click " logs" tag

4:choose " application and device control" as log type, choose " application control" as log content.

5: choose the approperal time range and click " view log" button

6: you can find the same information from database table" DBA.AGENT_BEHAVIOR_LOG_2"

Ref - http://www.symantec.com/docs/TECH155578

Policy to LOG activity in a USB drive by Symantec Endpoint Protection (SEP):

http://www.symantec.com/docs/TECH131125

Check these -  - 

https://www-secure.symantec.com/connect/forums/how-see-written-activity-usb-drive

https://www-secure.symantec.com/connect/forums/sep-11-log-usb-devices-are-connected

http://www.symantec.com/docs/TECH96690

However read this IDEA as well - 

https://www-secure.symantec.com/connect/idea/files-written-usb-drives-detailed-log

https://www-secure.symantec.com/connect/ideas/symantec-endpoint-protection-usb-device-logging

Thanks In Advance

Ashish Sharma

SEPM Knowledgebase Documents  

 

SOLUTION
+3
Login to vote
  • Actions
Parks1's picture
Parks1
Notification - Comment:16 Oct 2012 : Link

Nice Step Found try it.

Open and login to the SEPM

Click Monitors

Click Notifications

Click Notification Conditions

Click Add

Select Client security alert

check out the required option(Device Control events) under "What settings would you like for this notification?"

 

 
Outbreak type:

Occurrences on any computer

  
Compliance events Device Control events  
Network Threat Protection events Traffic events  
Packet events Application Control events  
Notification condition:  occurrenc

Set the notifcation condition

Then Add your email id here.

Then Ok

This process will help to get the Device acess log in Email

 

https://www-secure.symantec.com/connect/forums/not...

+2
Login to vote
  • Actions
Mithun Sanghavi's picture
Mithun Sanghavi Symantec Employee Technical Support Accredited
Notification - Comment:16 Oct 2012 : Link

Hello,

Solution

  1. Log in to Symantec Endpoint Protection Manager Console (SEPM)
  2. Click Policies on the left menu, then click Application and Device Control in the View Policies pane.
  3. Edit or create a new application policy:
    1. Click Application Control in the left pane of the policy.
    2. In the right pane, enable Log files written to USB drives.
  4. Click the edit button to modify the Log Files written to USB drives policy configuration.
  5. Click Log writing to USB drives under Log files written to USB drives, in the left pane,
  6. Under the Properties tab, select asterisk (*) from the Apply to the following files and folders and click on Edit...
  7. Confirm the USB device (USBSTOR*) is defined under Only match files on the following device id type and click OK
  8. Under the Actions tab, if you want to log the read, create, delete or write attempt to USB device, please check Enable logging.
  9. Click OK twice.
  10. Assign this policy to groups

How to view the Logs for the USB Activities:

  1. Log in to the SEPM.
  2. Click Monitors on the left menu.
  3. Click the Logs tab.
  4. Choose Application and Device Control as log type.
  5. Choose Application Control as log content.
  6. Select the appropriate time range and click the View Log button.

Note: You can find the same information from database table "DBA.AGENT_BEHAVIOR_LOG_2"

Check this Article:

Policy to LOG activity in a USB drive by Symantec Endpoint Protection

http://www.symantec.com/business/support/index?page=content&id=TECH155578

Check this Thread with similar Issue - 

https://www-secure.symantec.com/connect/forums/view-files-written-usb

Hope that helps!!

Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3

Twitter: @mithun_sanghavi

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a

+2
Login to vote
  • Actions
amitjain621's picture
amitjain621
Notification - Comment:17 Oct 2012 : Link

Great Knowladge sharing docs.yes

0
Login to vote
  • Actions