Video Screencast Help

USB Logging

Created: 20 Dec 2007 • Updated: 21 May 2010 | 11 comments
Hi,
I am looking to implement this in a medium sized organisation to replace a USB logging program we were using. I have been working through the documentation regarding the device control policies and am quite confused. Is it possible to have the software simply log any USB device access? ie if a user copies a file onto a device this would be logged and reportable in the main console.
 
Thanks,
Phil.
 

Comments 11 CommentsJump to latest comment

Paul Murgatroyd's picture
yes, its a fairly easy Application and Device control policy you require.
 
PM me your email address and I'll send you one to get you started.
 
 

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

DamnEngineer's picture

Could you possibly post this policy as I am also interested in this type of logging as I am sure many others are also.

Thanks

Greg

Paul Murgatroyd's picture
 
this policy will monitor all files written to a removable device by any application on the machine
 
 

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

PVN's picture
Hi Paul,
How can I apply your *.dat file into SEP Manager?
 
Thanks.
Paul Murgatroyd's picture
From the policies tab, click Application and Device Control, then click the Import option at the bottom of the panel.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

Nayelli Tena's picture

Hello, i am also interested in this policy, but i could not download the file, can you updload again the .dat pls??? 

HotRob's picture

Thanks for this Paul.

I've downloaded the policy but am having trouble finding where it is logging the information to. Do i find it under the 'Monitors' tab then 'Logs' in SEPM?

Or is there a physical log file written somewhere on the server itself?

Cheers,

Rob

Paul Murgatroyd's picture

Hi Rob,

There are several options - you will see the logs locally in your client's control log (View Logs,  Client Management, View Log, Control Log)

or on the SEPM

Monitors, Logs, Application and Device Control

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

HotRob's picture

Hi Paul,

I've let the policy run for a week and copied files to and from a USB key on my own machine as well but i don't find anything in either log location.

In the Policy the logging is set to Critical - 0. I've had a look in the System Admin guide but i can't find what this severity level relates to.

Cheers,
Rob

HotRob's picture

"Log files writen to USB drives"Hi,

I decided to redo the policy because it doesn't seem to be logging anything and found that there is a default one in the list of application policies.

I edited it with the following settings :
Under the "Log files written to USB drives" properties I used the wildcard '*' to allow all processes to be monitored

Then under the second "Log files written to USB drives" i used the wildcard "*" to allow monitoring of all drives and inside the properties of that selected "Only match files on the following drive types" and selected "removable drive (floppy usb, etc)"

Under the actions tab I set "continue processing and enabled logging at  "Critical -- 0".

1) does this sound right to anyone?
2) I don't get anything appearing in the any of the log files suggested by Paul.

Does any have this working and can offer any pointers?
Many thanks,
Rob

HotRob's picture

Well i found my problem with the USB key logging policy not working.

Our intial install of the SEP client didn't include the Network control side of things so the policy wasn't able to act on logging the USB keys because the component wasn't installed. D'oh!

I'll have another go at this and i'm sure it'll work fine now.
:)
Rob