solution
1: Connect to the Symantec Endpoint Protection Manager Console / SEPM
2: click on "Policies" -> click on "Application and Device Control" under "View Policies" -> edit or create a new application -> click on "Application Control" -> on the right pane, Enable the option "Log files written on the USB drivers"
3: Click Edit button to edit "Log files written to USB drives" policy configuration
4: Click on "Connect USB disks written" under "Connection written on USB drives" on the left panel
5: In "Properties" tab, select the USB device will be used for this policy, default is "*" means all that is USB will be applied with these parameters.
6: under "Actions", if you just want to save the creation, deletion or writing attempts USB device, please click "enable logging" in "create, delete or attempt to writing. " if you want to save or read attemp, you need to check "logging ebable" under "trying to read"
7: Click "OK" twice, then left-click the policy and assign the policy to groups
how to display the registration activation USB?
1: Identify SEPM
2: Click "Monitor" on the left panel SEPM
3: Click "logs" tag
4: select "application control and device" as log type, select "Application Control" as the log contents.
5: Choose the time interval approperal and click "View Log" button
6: You can find the same information from database table "DBA.AGENT_BEHAVIOR_LOG_2"
Check them out -
https://www-secure.symantec.com/connect/forums/how-see-written-activity-usb-drive
http://www.symantec.com/docs/TECH96690
However read this and IDEA -
https://www-secure.symantec.com/connect/idea/files-written-usb-drives-detailed-log
https://www-secure.symantec.com/connect/ideas/symantec-endpoint-protection-usb-device-logging