search cancel

How to enable the Removable Media Scan feature in Endpoint Protection

book

Article ID: 188710

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Prior to 14.2 RU2 Symantec Endpoint Protection (SEP) did not scan USB removable storage media when plugged in. With the release of 14.2 RU2, AutoProtect can be configured to take advantage of this event and trigger an MBR and drive scan.

Environment

Microsoft Windows
SEP 14.2 RU2, and newer

Resolution

When a USB storage device is plugged into the Windows system, SEPs AutoProtect component generates an event. Note: This scan does not scan memory or loadpoints and is disabled by default.

The following registry key and values must be created on the client systems to enable this functionality as there is no configuration available from the SEP Manager at this time.

  1. Tamper Protection must be disabled on the SEP client endpoint before making registry key changes.
  2. To open the Registry Editor, click Start. In the Search programs and files field, enter regedit, and then click regedit.exe from the list of results.
    • Alternately, click Start > Run, enter regedit, and then click OK.
  3. Navigate to the following registry subkey (or create it if it is missing):
    • HKLM\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\Removable Media Scan Options\Schedule
  4. Find or create the Enabled (REG_DWORD) value and set it to a value of 1
  5. Find or create the Name (REG_SZ) value and set it to a value of Removable Media Scan
There is no need to restart the machine or the SEP services. In order to disable this feature, either set Enabled to a value of 0 or delete the registry key values noted above.

Additional Information

When this scan is triggered, a scan event entry will be logged under the Virus and Spyware Protection Logs by "Removable Media Scan" with a Type of "Custom Scan".

This scan type runs with the "Best Application Performance" configuration to reduce impact to the end-user.