Video Screencast Help


Created: 16 Oct 2012 • Updated: 17 Oct 2012 | 4 comments
This issue has been solved. See solution.


I want to reterive USB attach notification in sepm .

how to retrive this notification

Comments 4 CommentsJump to latest comment

Ashish-Sharma's picture

log in to Symantec Endpoint Protection Manager Console /SEPM

2: click "Policies"-->click " Application and Device Control" under "View Policies"-->edit or create a new application policy-->click "Application Control" -->on the right panel , enable " Log Files written to USB drivers"

3: click edit button to edit  "Log Files written to USB drives" policy configuration

4: click "Log written to USB drives" under "Log written to USB drives" on the left panel

5: under "Properties" tag ,choose which USB device will be used for this policy, default is " *" which is mean all USB device will be applied with this settings.

6: under " Actions" , if you want to just record the creating, deleting or writing attempts of USB device, please click "enable logging" under "create, delete or write attempt". if you want to record reading attemp either, you need tick "ebable logging" under " read attempt"

7: click "OK" twice and then left click this policy and assign this policy to groups

how to view the record of USB activation?

1: log in SEPM

2: click "Monitor" on the SEPM left panel

3: click " logs" tag

4:choose " application and device control" as log type, choose " application control" as log content.

5: choose the approperal time range and click " view log" button

6: you can find the same information from database table" DBA.AGENT_BEHAVIOR_LOG_2"

Ref -

Policy to LOG activity in a USB drive by Symantec Endpoint Protection (SEP):

Check these -  -

However read this IDEA as well -

Thanks In Advance

Ashish Sharma

Parks1's picture

Nice Step Found try it.

Open and login to the SEPM

Click Monitors

Click Notifications

Click Notification Conditions

Click Add

Select Client security alert

check out the required option(Device Control events) under "What settings would you like for this notification?"

Outbreak type:

Occurrences on any computer

Compliance events Device Control events  
Network Threat Protection events Traffic events  
Packet events Application Control events  
Notification condition:  occurrenc

Set the notifcation condition

Then Add your email id here.

Then Ok

This process will help to get the Device acess log in Email

Mithun Sanghavi's picture



  1. Log in to Symantec Endpoint Protection Manager Console (SEPM)
  2. Click Policies on the left menu, then click Application and Device Control in the View Policies pane.
  3. Edit or create a new application policy:
    1. Click Application Control in the left pane of the policy.
    2. In the right pane, enable Log files written to USB drives.
  4. Click the edit button to modify the Log Files written to USB drives policy configuration.
  5. Click Log writing to USB drives under Log files written to USB drives, in the left pane,
  6. Under the Properties tab, select asterisk (*) from the Apply to the following files and folders and click on Edit...
  7. Confirm the USB device (USBSTOR*) is defined under Only match files on the following device id type and click OK
  8. Under the Actions tab, if you want to log the read, create, delete or write attempt to USB device, please check Enable logging.
  9. Click OK twice.
  10. Assign this policy to groups

How to view the Logs for the USB Activities:

  1. Log in to the SEPM.
  2. Click Monitors on the left menu.
  3. Click the Logs tab.
  4. Choose Application and Device Control as log type.
  5. Choose Application Control as log content.
  6. Select the appropriate time range and click the View Log button.

Note: You can find the same information from database table "DBA.AGENT_BEHAVIOR_LOG_2"

Check this Article:

Policy to LOG activity in a USB drive by Symantec Endpoint Protection

Check this Thread with similar Issue -

Hope that helps!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.