I'm working on creating some Application and Device Control policies that can monitor the USB drives that are plugged into machines. I'm hoping that I may be able to record the Device IDs of the USB Drives so that if necessary I can add blocks to the Application and Device Control Policy. However I'm currently having an issue with testing in terms of locating where this information is saved. So for instance at the moment I have a policy in place to block a specific USB Device and it appears to be working. I can check the SEP Client Logs and under Security Log - Client Management Logs I actually see the event of the USB Device being blocked. What I'm interested in now is locating these entries in the SEPM. I think I've checked all of the Monitors -> Logs with no luck. Is anyone familiar with where this is located? Also is it possible to record the Device IDs for all plugged in devices? It would be nice for management of restricting infected devices.
Thanks,
Mike
The Device IDs are not recorded. This has been a sticking point for some time now.
You would need to use DevViewer on a client to get the Device ID.
You can't be able to record the device Id.
Use deviewer tool to block it
Hi
You need to use the Dev Viewer tool to take the Device ID
In SEP 12.1 the tool is incorporated in the SEP client itself
Regards
Hi,
Agreed with above comments.
http://www.symantec.com/business/support/index?page=content&id=TECH103401
Do the logs found under Client Management -> Security Logs on the SEP Client get recorded back in the SEPM? If so where do they get recorded? I'm assuming the answer is no since this log appears to have the Device ID information in it.
One last thing to note from additional testing that I just found. There is a way to record the Device ID through the SEPM. If a USB device writes or reads on a machine with a SEP client this data will be logged in the Application and Device Control -> Application Logs. Highlight one of the entries and click on Details and scroll to the bottom. It will show you the Device ID. You can then record that device and add it to whatever restrictions policies you may have.