search cancel

How to enable the Removable Media Scan feature in Endpoint Protection

book

Article ID: 188710

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Prior to 14.2 RU2 Symantec Endpoint Protection (SEP) did not scan USB removable storage media when plugged in. With the release of 14.2 RU2, AutoProtect can be configured to take advantage of this event and trigger an MBR and drive scan.

Environment

  • Microsoft Windows
    SEP 14.2 RU2, and newer

Resolution

When a USB storage device is plugged into the Windows system, SEPs AutoProtect component generates an event. Note: This scan does not scan memory or loadpoints and is disabled by default.

SEP CLIENT configuration

The following registry key and values must be created on the client systems to enable this functionality:

  1. Tamper Protection must be disabled on the SEP client endpoint before making registry key changes. To disable Tamper Protection: Disable Tamper Protection (broadcom.com)
  2. To open the Registry Editor, click Start. In the Search programs and files field, enter regedit, and then click regedit.exe from the list of results.
    • Alternately, click Start > Run, enter regedit, and then click OK.
  3. Navigate to the following registry subkey (or create it if it is missing): 
    • HKLM\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\Removable Media Scan Options\Schedule
    • 14.3 RU5+ HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\Removable Media Scan Options\Schedule
  4. Find or create the Enabled (REG_DWORD) value and set it to a value of 1
  5. Find or create the Name (REG_SZ) value and set it to a value of Removable Media Scan

There is no need to restart the machine or the SEP services. In order to disable this feature, either set Enabled to a value of 0 or delete the registry key values noted above.

 

SEPM configuration

Virus and Spyware Protection Policy

Verify under Auto-Protect - Advanced Scanning and Monitoring that the option "Check floppies for boot viruses when accessed" is active.

Additional Information

  When this scan is triggered, a scan event entry will be logged under the Virus and Spyware Protection Logs by "Removable Media Scan" with a Type of "Custom Scan". This scan type runs with the "Best Application Performance" configuration to reduce impact to the end-user.

Does Symantec Endpoint Protection Scan USB flash drives?