Can the Symantec Endpoint Protection client detect if a file is being created,read or modified on a USB device

book

Article ID: 153986

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How to use Symantec Endpoint Protection to monitor file actions on a USB device

Resolution

  1. Log in to Symantec Endpoint Protection Manager Console /SEPM.
  2. Click "Policies"-->click "Application and Device Control" -->edit or create a new application policy--> click "Application Control" -->on the right panel , enable "Log writing to USB drives".
  3. Click edit button to change "Log writing to USB drives" policy configuration.
  4. Click "Log writing to USB drives" under "Log files written to USB drives" on the left panel.
  5. Under "Properties" tab, choose which USB device will be used for this policy, the default is "*" which means all USB devices will have these settings applied.
  6. Under "Actions" if you want to just log the creation, deletion or write attempts on USB devices, click "enable logging" under "create, delete or write attempt". If you want to log read attempts also, tick "enable logging" under "read attempt". You can also choose to block access, other options can be selected as desired.
  7. Click "OK" twice and then left click this policy and assign this policy to groups

 

How to view the log of USB access

  1. Log into the SEPM
  2. Click "Monitor" on the SEPM left column
  3. Click "Logs"
  4. Choose "Application and device control" as log type, choose "Application control" as log content.
  5. Choose the correct time range and click "View log" button

 

NOTE You can find the same information from database table DBA.AGENT_BEHAVIOR_LOG_2