Endpoint Protection

Hi everyone , how can I use SEP to get the Device IDs of all the USB which the user has connected with his machine.

Is there any way we can make SEP to log all connected USBs. The use case here is before blocking any device we need to see a list of all the USBs which the user has connected and from then we can decide which device we need to block.

 

I know how how block a device via its device ID but this is not what we need to achieve. I am looking to log of the USBs user has connected and then from the list we can block certain devices.

Thanks 

Its possible...

Add "USB" class ID under "Devices excluded from blocking" and turn on logging of devices (at the bottom of the device control page) in the "Application and Device control" policy.

Seyyead thanks for the reply . I thought about it but the problem with this method is it will white-list all of the devices. By using this way we cannot be granular in excluding some specific USBs and blocking all. 

 

Is there any straight-forward way we can achieve the above mentioned requirement ? Whtever USB Device User connected it is logged , in the logs we can get a list of detected devices and from there we can block or allow as per the requirement ?  thanks 

Currently SEP client will log the details of a connected device only if that device is already set to be blocked or excluded (either using device ID or class ID). So initially you have to either block or exclude the device first before to finilize on whether to block the device or not.

Yes but this adds a lot of overhead to do so . It would have been better if we had the other way available to just log all the connected device and from there to choose what to allow and what to block. 

Add as an Idea for a future release:

https://www-secure.symantec.com/connect/security/ideas

Erm, this option is already in SEP AFAIK.  Have a look-see at the attached screenie, this option changed from "Log Blocked Devices" to "Log Detected Devices" waaaaaaay back when.  What version of SEP are you running?

 

12.1.6 MP4 . It will only log devices which are explicitely added into either the blocked or excluded devices.

Sorry that I'm not able to show it more thoroughly (no SEPM at hand), but isn't it possible to achieve your goal with an Application Control rule that logs all read and change accesses to USB devices? For the beginning, you could take USBSTOR* as device id. AFAIK, there is even an Application Cobntrol ruleset to log write accesses on USB devices.

Firstly I would like to thank everyone who has contributed to this forum post. I have always appreciated your valuable inputs.

Now my initial question was to log all the devices which are connected to endpoints i.e to grab the Device or Class IDs so that we can choose what to block and what to not. 

The problem at the momment is SEP would only log devices which are explicitly added either into the block devices section or the section which contains devices excluded from blocking . If there is any device that is not part of either 1 of these sections it wont be logged by the device control policy. If you add the Class ID for all USBs in devices excluded from blocking it will exlcude all USBs from being blocked and whitelist every USB hence you cannot selectively Block any USB in the Blocked device section.

Now in Application Control we have a policy that will log read and write attempts to/from USBs if it is enabled in the APP control which is more suitable but the only concern with that is the amount of logging that would be generated.

 

Thanks