Can the Symantec Endpoint Protection client detect if a file is being created,read or modified on a USB device
book
Article ID: 153986
calendar_today
Updated On:
Products
Endpoint Protection
Issue/Introduction
How to use Symantec Endpoint Protection to monitor file actions on a USB device
Resolution
Log in to Symantec Endpoint Protection Manager Console /SEPM.
Click "Policies"-->click "Application and Device Control" -->edit or create a new application policy--> click "Application Control" -->on the right panel , enable "Log writing to USB drives".
Click edit button to change "Log writing to USB drives" policy configuration.
Click "Log writing to USB drives" under "Log files written to USB drives" on the left panel.
Under "Properties" tab, choose which USB device will be used for this policy, the default is "*" which means all USB devices will have these settings applied.
Under "Actions" if you want to just log the creation, deletion or write attempts on USB devices, click "enable logging" under "create, delete or write attempt". If you want to log read attempts also, tick "enable logging" under "read attempt". You can also choose to block access, other options can be selected as desired.
Click "OK" twice and then left click this policy and assign this policy to groups
How to view the log of USB access
Log into the SEPM
Click "Monitor" on the SEPM left column
Click "Logs"
Choose "Application and device control" as log type, choose "Application control" as log content.
Choose the correct time range and click "View log" button
NOTE You can find the same information from database table DBA.AGENT_BEHAVIOR_LOG_2