Video Screencast Help

SEP 11 - log USB devices that are connected

Created: 07 Mar 2012 | 8 comments
g67's picture

I would like to log make and model of any removable media connected to a computer. I already use Application and Device control for blocking of devices but now I want a seperate policy, for some selected computers, that does not block devices but just logs what's connected.

How do i do this using SEP 11 RU6 MP3?

Ideas please?

Thanks

Comments 8 CommentsJump to latest comment

Avkash K's picture

Hi,

Please check below articles,

Policy to LOG activity in a USB drive by Symantec Endpoint Protection (SEP):

http://www.symantec.com/docs/TECH131125

 The activity logged can be found in:
- SEP Client > View Logs > Client Management > View Log > Control Log
- The console of Symantec Endpoint Protection Manager (SEPM) > Monitors > Logs > Application and Device Control > Application Control

 

And you can try this also for notification alerts.

1. Connect to SEPM

2. Go to "Monitors"

3. Go to "Notifications" tab

4. Click on "Notification Conditions" button at the bottom of the console

5. Click on "Add..." and select "Client Security Alert"

6. In the top of the new window, specify condition name, filtering settings (optional) and outbreak type

7. Check "Application Control Events"

8. Specify condition and damper settings

9. Check "Send email to:" and type email address to use

10. Validate

Regards,

Avkash K

g67's picture

Thanks, but i want to log device make and model as soon as it is connected. As far as i know the Application Control module does not log when hardware devices are connected.

Avkash K's picture

Hi,

 

Policy to LOG activity in a USB drive by Symantec Endpoint Protection (SEP):

http://www.symantec.com/docs/TECH131125

but not sure about make model.

Regards,

Avkash K

Mithun Sanghavi's picture

Hello,

Solution

1: log in to Symantec Endpoint Protection Manager Console /SEPM

2: click "Policies"-->click " Application and Device Control" under "View Policies"-->edit or create a new application policy-->click "Application Control" -->on the right panel , enable " Log Files written to USB drivers"

3: click edit button to edit  "Log Files written to USB drives" policy configuration

4: click "Log written to USB drives" under "Log written to USB drives" on the left panel

5: under "Properties" tag ,choose which USB device will be used for this policy, default is " *" which is mean all USB device will be applied with this settings.

6: under " Actions" , if you want to just record the creating, deleting or writing attempts of USB device, please click "enable logging" under "create, delete or write attempt". if you want to record reading attemp either, you need tick "ebable logging" under " read attempt"

7: click "OK" twice and then left click this policy and assign this policy to groups

how to view the record of USB activation?

1: log in SEPM

2: click "Monitor" on the SEPM left panel

3: click " logs" tag

4:choose " application and device control" as log type, choose " application control" as log content.

5: choose the approperal time range and click " view log" button

6: you can find the same information from database table" DBA.AGENT_BEHAVIOR_LOG_2"

Ref - http://www.symantec.com/docs/TECH155578

Check these -  - 

https://www-secure.symantec.com/connect/forums/how-see-written-activity-usb-drive

http://www.symantec.com/docs/TECH96690

However read this IDEA as well - 

https://www-secure.symantec.com/connect/idea/files-written-usb-drives-detailed-log

https://www-secure.symantec.com/connect/ideas/symantec-endpoint-protection-usb-device-logging

 

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

g67's picture

Thanks Mithun but all these suggestions seem to be for writing of files to a USB device using Application Control module. i am familiar with the Application Control for logging data written to a device.

I do not need to know when a file is written.

I need to know when a device is connected e.g. someone has plugged in an iPod.

I dont want the device blocked. just logged.

Device control module does not seem to allow this.

Mithun Sanghavi's picture

Hello,

The Idea below would answer your question.

https://www-secure.symantec.com/connect/ideas/symantec-endpoint-protection-usb-device-logging

Hope that helps!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

g67's picture

So does that mean that it is not currently possible to log devices

i had already seen this idea but thought maybe there might be a solution somwhere.

greg12's picture

Have a look at this article by Vikram Kumar, maybe it helps you.

https://www-secure.symantec.com/connect/articles/how-block-unwanted-memory-cards

Every time an USB device is plugged in, something happens in the registry. Thus it's possible to track the devices. You just have to know the beginning of the  appropriate device IDs.