Endpoint Protection

We are trying to create a Application control set rule similar to the standard log files written to USB drives.
I have tried everything to get this to work and it doesnt seem to. I can burn files to CDRoms and not get ay logs.
Anyone have any ideas of what I could be doing wrong? I copied the USB rule set and then changed the ONLY MATCH FILES ON THE FOLLOWING DEVICE ID TYPE from USBSTOR*
to cdrom*
I also tried IDE/CDROM*, and GenCdRom*
I also tried selecting the application c:\windows\system32\imapi.exe which is what WinXp uses to burn files to CD and that did not work.


Thank you in advance for any help or ideas.

Hi,

       Since CD/DVD writing uses an unconventional read/write operation, Symantec Endpoint Protection cannot block it directly.

To work around this problem, create both of the following policies:
Create an Application and Device Control policy that blocks the specific applications that write to CD or DVD drives.
Create a Host Integrity policy that sets the following Windows registry key to block write attempts to CD or DVD drives:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

DWORD NoCDBurning

Decimal Value: 1


http://service1.symantec.com/support/ent-security.nsf/docid/2008042510214848

We dont want to actually block writing to cd rom drives. We want to log it like the writing to usb drives rule.
We receive an email with the files that were written.
We want to start with this before actually blocking writing all together.

Thank you Sandip

 Add a new rule - Condition -File and Folder Access Attempts--
Apply to the following Files and Folders - give a * -
-Select Only Match Files on follwing drive types and select only DVD/Cd Rom
In Action-
For read Atempt-select -Continue Processing other rules

For Creat, Delete and Write attempt. Select Allow
check -Enable logging and Sent EMail alert.

Vikram, Thank you for the suggestion but for some reason it does not work.
The usb logging does work. I copied that rule and then made the changes as suggested but still no go. I am not getting anything in the logs.

Am I doing something wrong?

Thank you

 Did you edit the same rule or you added a new rule with File and Folder Access attempts?

I edited the rule.
I was going to just create a brand new one but wasnt sure.
Also you had in your response *- . I tried it without the - first then put the - back in. Neither worked.
Thank you for your help on this.

Hi Doug, I'm wondering if you found a solution to this, I'm trying to do the same thing and am expieriencing the same issue as you. The above suggestions, which make complete sense, don't have any affect.

Just wanted to let you know that you might just want to create a new thread for your issue. This one is very old (over 17 weeks) and it is unlikely that the original thread owner will respond. Also other users in the forums are likely to ignore a thread this old.

Thanks
Grant