1: log in to Symantec Endpoint Protection Manager Console /SEPM
2: click "Policies"-->click " Application and Device Control" under "View Policies"-->edit or create a new application policy-->click "Application Control" -->on the right panel , enable " Log Files written to USB drivers"
3: click edit button to edit "Log Files written to USB drives" policy configuration
4: click "Log written to USB drives" under "Log written to USB drives" on the left panel
5: under "Properties" tag ,choose which USB device will be used for this policy, default is " *" which is mean all USB device will be applied with this settings.
6: under " Actions" , if you want to just record the creating, deleting or writing attempts of USB device, please click "enable logging" under "create, delete or write attempt". if you want to record reading attemp either, you need tick "ebable logging" under " read attempt"
7: click "OK" twice and then left click this policy and assign this policy to groups
how to view the record of USB activation?
1: log in SEPM
2: click "Monitor" on the SEPM left panel
3: click " logs" tag
4:choose " application and device control" as log type, choose " application control" as log content.
5: choose the approperal time range and click " view log" button
6: you can find the same information from database table" DBA.AGENT_BEHAVIOR_LOG_2
Reference:
http://www.symantec.com/business/support/index?page=content&id=TECH155578
You can configure Email Notification Alerts when any usb insert in System
Open and login to the SEPM
Click Monitors
Click Notifications
Click Notification Conditions
Click Add
Select Client security alert
check out the required option(Device Control events) under "What settings would you like for this notification?"
Set the notifcation condition
Then Add your email id here.
Then Ok