Endpoint Protection

Hello,

How can I view the logs of files written to USB for a specific computer?

Where can I check that this logging is turned on?

Hello,

Solution:

1: Log in to Symantec Endpoint Protection Manager Console /SEPM

2: Click "Policies"-->click " Application and Device Control" under "View Policies"-->edit or create a new application policy-->click "Application Control" -->on the right panel , enable " Log Files written to USB drivers"

3: Click edit button to edit  "Log Files written to USB drives" policy configuration

4: Click "Log written to USB drives" under "Log written to USB drives" on the left panel

5: Under "Properties" tag ,choose which USB device will be used for this policy, default is " *" which is mean all USB device will be applied with this settings.

6: Under " Actions" , if you want to just record the creating, deleting or writing attempts of USB device, please click "enable logging" under "create, delete or write attempt". if you want to record reading attemp either, you need tick "ebable logging" under " read attempt"

7: Click "OK" twice and then left click this policy and assign this policy to groups

How to view the record of USB activation?

1: Log in SEPM

2: Click "Monitor" on the SEPM left panel

3: Click " logs" tag

4: Choose " application and device control" as log type, choose " application control" as log content.

5: Choose the approperal time range and click " view log" button

6: You can find the same information from database table" DBA.AGENT_BEHAVIOR_LOG_2"

Reference - http://www.symantec.com/docs/TECH155578

Check these Threads -

https://www-secure.symantec.com/connect/forums/how-see-written-activity-usb-drive

http://www.symantec.com/docs/TECH96690

However read this IDEA as well - 

https://www-secure.symantec.com/connect/idea/files-written-usb-drives-detailed-log

https://www-secure.symantec.com/connect/ideas/symantec-endpoint-protection-usb-device-logging

Hope that helps!!

Thanks.  I think I have discovered a little more information for why I am not seeing what I expected:

(1) is there a way to view files written to USB from the client?
 

(2)I have a PC that was replaced, and the new PC has the SAME name, there are now two instances of the same named PC, and I think the log files I am seeing are from the one that is currently on-line, not archived information from the old PC - is there a way that I can see the archived information from the old PC through SEPM?

1) You can check the control log

2) You can export the log file from the SEPM and save that. Otherwise you would need to send to syslog and configure a retention policy.

In advanced you can separate the two different PC's by choosing a security group.  Be sure that your two PC's are in two different security groups.

It would appear that the PC needs to be turned on and active in order to view the information from the logs

Hello,

(1) is there a way to view files written to USB from the client?

NO. 

(2)I have a PC that was replaced, and the new PC has the SAME name, there are now two instances of the same named PC, and I think the log files I am seeing are from the one that is currently on-line, not archived information from the old PC - is there a way that I can see the archived information from the old PC through SEPM?

Try pulling the Application control by Appropriate Time Range.

1: Log in SEPM

2: Click "Monitor" on the SEPM left panel

3: Click " logs" tag

4: Choose " application and device control" as log type, choose " application control" as log content.

5: Choose the appropriate time range and click on "Advance Settings" to select correct option.

6. Click " view log" button

Hope that helps!!

Nice defined Mithun.

Policy to LOG activity in a USB drive by Symantec Endpoint Protection

http://www.symantec.com/business/support/index?page=content&id=TECH155578

1: log in to Symantec Endpoint Protection Manager Console /SEPM

2: click "Policies"-->click " Application and Device Control" under "View Policies"-->edit or create a new application policy-->click "Application Control" -->on the right panel , enable " Log Files written to USB drivers"

3: click edit button to edit  "Log Files written to USB drives" policy configuration

4: click "Log written to USB drives" under "Log written to USB drives" on the left panel

5: under "Properties" tag ,choose which USB device will be used for this policy, default is " *" which is mean all USB device will be applied with this settings.

6: under " Actions" , if you want to just record the creating, deleting or writing attempts of USB device, please click "enable logging" under "create, delete or write attempt". if you want to record reading attemp either, you need tick "ebable logging" under " read attempt"

7: click "OK" twice and then left click this policy and assign this policy to groups

how to view the record of USB activation?

1: log in SEPM

2: click "Monitor" on the SEPM left panel

3: click " logs" tag

4:choose " application and device control" as log type, choose " application control" as log content.

5: choose the approperal time range and click " view log" button

6: you can find the same information from database table" DBA.AGENT_BEHAVIOR_LOG_2

Reference:

http://www.symantec.com/business/support/index?page=content&id=TECH155578

You can configure Email Notification Alerts when any usb insert in System

Open and login to the SEPM

Click Monitors

Click Notifications

Click Notification Conditions

Click Add

Select Client security alert

check out the required option(Device Control events) under "What settings would you like for this notification?"

Set the notifcation condition

Then Add your email id here.

Then Ok