Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Notification

Created: 16 Oct 2012 • Updated: 17 Oct 2012 | 4 comments
This issue has been solved. See solution.

HI,

I want to reterive USB attach notification in sepm .

how to retrive this notification

 

Comments 4 CommentsJump to latest comment

Ashish-Sharma's picture

log in to Symantec Endpoint Protection Manager Console /SEPM

2: click "Policies"-->click " Application and Device Control" under "View Policies"-->edit or create a new application policy-->click "Application Control" -->on the right panel , enable " Log Files written to USB drivers"

3: click edit button to edit  "Log Files written to USB drives" policy configuration

4: click "Log written to USB drives" under "Log written to USB drives" on the left panel

5: under "Properties" tag ,choose which USB device will be used for this policy, default is " *" which is mean all USB device will be applied with this settings.

6: under " Actions" , if you want to just record the creating, deleting or writing attempts of USB device, please click "enable logging" under "create, delete or write attempt". if you want to record reading attemp either, you need tick "ebable logging" under " read attempt"

7: click "OK" twice and then left click this policy and assign this policy to groups

how to view the record of USB activation?

1: log in SEPM

2: click "Monitor" on the SEPM left panel

3: click " logs" tag

4:choose " application and device control" as log type, choose " application control" as log content.

5: choose the approperal time range and click " view log" button

6: you can find the same information from database table" DBA.AGENT_BEHAVIOR_LOG_2"

Ref - http://www.symantec.com/docs/TECH155578

Policy to LOG activity in a USB drive by Symantec Endpoint Protection (SEP):

http://www.symantec.com/docs/TECH131125

Check these -  - 

https://www-secure.symantec.com/connect/forums/how-see-written-activity-usb-drive

https://www-secure.symantec.com/connect/forums/sep-11-log-usb-devices-are-connected

http://www.symantec.com/docs/TECH96690

However read this IDEA as well - 

https://www-secure.symantec.com/connect/idea/files-written-usb-drives-detailed-log

https://www-secure.symantec.com/connect/ideas/symantec-endpoint-protection-usb-device-logging

Thanks In Advance

Ashish Sharma

 

 

SOLUTION
Parks1's picture

Nice Step Found try it.

Open and login to the SEPM

Click Monitors

Click Notifications

Click Notification Conditions

Click Add

Select Client security alert

check out the required option(Device Control events) under "What settings would you like for this notification?"

 

 
Outbreak type:

Occurrences on any computer

 
Compliance events Device Control events  
Network Threat Protection events Traffic events  
Packet events Application Control events  
Notification condition:  occurrenc

Set the notifcation condition

Then Add your email id here.

Then Ok

This process will help to get the Device acess log in Email

 

https://www-secure.symantec.com/connect/forums/not...

Mithun Sanghavi's picture

Hello,

Solution

  1. Log in to Symantec Endpoint Protection Manager Console (SEPM)
  2. Click Policies on the left menu, then click Application and Device Control in the View Policies pane.
  3. Edit or create a new application policy:
    1. Click Application Control in the left pane of the policy.
    2. In the right pane, enable Log files written to USB drives.
  4. Click the edit button to modify the Log Files written to USB drives policy configuration.
  5. Click Log writing to USB drives under Log files written to USB drives, in the left pane,
  6. Under the Properties tab, select asterisk (*) from the Apply to the following files and folders and click on Edit...
  7. Confirm the USB device (USBSTOR*) is defined under Only match files on the following device id type and click OK
  8. Under the Actions tab, if you want to log the read, create, delete or write attempt to USB device, please check Enable logging.
  9. Click OK twice.
  10. Assign this policy to groups

How to view the Logs for the USB Activities:

  1. Log in to the SEPM.
  2. Click Monitors on the left menu.
  3. Click the Logs tab.
  4. Choose Application and Device Control as log type.
  5. Choose Application Control as log content.
  6. Select the appropriate time range and click the View Log button.

Note: You can find the same information from database table "DBA.AGENT_BEHAVIOR_LOG_2"

Check this Article:

Policy to LOG activity in a USB drive by Symantec Endpoint Protection

http://www.symantec.com/business/support/index?page=content&id=TECH155578

Check this Thread with similar Issue - 

https://www-secure.symantec.com/connect/forums/view-files-written-usb

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.