Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Add notification of unauthorized devices only

Created: 27 Feb 2012 • Updated: 09 Nov 2012 | 7 comments
kforfa's picture
1 Agree
0 Disagree
+1 1 Vote
Login to vote
Status: Implemented

In version 11.x, we created a Client Security Alert notification to log and email our Helpdesk when an unauthorized USB device was blocked.  After upgrading to 12.1 RU1, we began receiving excessive notification emails related to authorized USB activity.  If a USB device has been whitelisted, we don't need to be notified everytime it is used.   After reading some forums, it was indicated that a "large customer" requested this feature.   We are requesting a method of setting the notification emails for unauthorized devices only.

Comments 7 CommentsJump to latest comment

JWatts's picture

Very frustrating!

0
Login to vote
Elisha's picture

Can you give me a little bit more information on what you are looking for?  SEP has the ability to log an event for every USB device that gets plugged in.  How do you distinguish authorized devices from unauthorized devices?

0
Login to vote
kforfa's picture

Elisha,

Sorry for the delay in answering your post.  We are using Application and Device blocking to block all USB devices that can store data (i.e., not keyboards and mice).  We have adopted the IronKey as our only "authorized" USB thumb drive.  As we purchase Ironkeys, we add them to our whitelist on our Symantec AV Server.  In prior versions of SEP, this worked very well.  Anytime a non-whitelisted USB drive was inserted into any of our computers, SEP disabled the device (blocked it) as well as sent an email notification.  With the upgrade to v12.1, we are seeking the same functionality.  As I said in my original post, we do not need to be notified everytime an authorized USB drive is used.  We only want notification when our employees attempt to use unauthorized USB drives.  Let me know if you need any further information.

+1
Login to vote
kforfa's picture

I would like to know if there is a resolution from Symantec on this issue. 

0
Login to vote
Elisha's picture

In SEP 12.1 we added the ability to log excluded devices to allow users to do auditing (log devices without blocking them).  For instance if a user wanted to log all USB devices, but not to block them.  Therefore SEP 12.1 will log all devices in the blocked devices list regardless of whether they are excluded.

You can disable device logging but there is no way to stop logging excluded devices.

0
Login to vote
kforfa's picture

OK....not sure if you understand what functionality we want.  How can I configure SEP 12.1 to send an email notification when a user connects a blocked device? 

0
Login to vote
Elisha's picture

This has been resolved in SEP 12.1.2 (RU2) due out later this month (November 2012).  In SEP 12.1.2 email alerts will only be sent for blocked devices.

0
Login to vote