An Application and Device Control policy was exported from an on-premises Endpoint Protection Manager. The resulting dat file was then imported into the Integrated Cyber Defense Management console as a Custom Application Behavior policy.
The policy imported contains an application control rule condition that logs all creates, deletes, or writes to USB devices.
When the client receives this policy, the write activity does not look to be logged in the Control log, however when a file is deleted it is logged properly.
The impacting rule condition in the Custom Application Behavior (CAB) policy is one that is imported from an on-premises SEPM Application Device Control policy.
The default cloud CAB policy does not contain these rule conditions.
This issue is fixed in Symantec Endpoint Protection 184.108.40.206 (RU5)
For information on how to obtain the latest build of Symantec Endpoint Protection, see Download Symantec software, tools, and patches.