Endpoint Protection

 View Only

  • 1.  usb logging

    Posted Dec 12, 2009 02:47 PM

    Is it possible for SEP11 to log all USB activity (what is plugged in and what is copied to it) without preventing the use of that device?  This could be useful in investigations where we suspect someone of plugging in a USB HD to copy data


  • 2.  RE: usb logging
    Best Answer



  • 3.  RE: usb logging

    Posted Dec 13, 2009 01:28 AM
     As stated in the links above SEP can log which files are transfered. There are quite a few third party programs that log this sort of data in great detail (some of them were even mentioned in the links Vikram posted). Hopefully SEP will start to provide more detail in these logs, but for the average user logging the files is a good start : )  This post also reminded me of an article I read a little while back so I browsed my history to find it. It was article that talked about some creative ways to fight data leaks. Here is that link http://www.computerworld.com.au/article/300938/creative_ways_fight_data_leaks. It mostly talks about good practices to use, but there are also some good pointers on how to get to know your network ect ect.

    Hope this helps
    Grant


  • 4.  RE: usb logging

    Posted Dec 13, 2009 10:13 PM

    The Application and Device Control should take care of this situation.

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008022822274348


  • 5.  RE: usb logging

    Posted Dec 14, 2009 05:54 AM
    Try this
    refer the below doc
    Block copy and execution of specific files from an USB.
    Do the following modifications in this doc
    instead of first step do as follows
    First add USB drives to the Hardware Devices list
    1. Open the Symantec Endpoint Protection Manager
    2. Click on Policies
    3. Expand Policy Components
    4. Click on Hardware Devices
    5. Click Add a Hardware Device...
    6. In the field Device Name: usbstorage Note: This can be anything
    7. Choose Device ID: USBSTOR\* (Note: This must be all capital letters and must be spelled correctly)
    8. Click OK
    Avoid step 7
    In step 8 select the action as continue processing other rules in both ( read attempt and create ,delete or write attempt ) Also enable logging  for both ...

    Note:In the doc device name specified as kigston.While creating the policy you have to select the device name which you created in first step instead of kigston..