Can the Symantec Endpoint Protection client detect if a file is being created,read or modified on a USB device?
1: Log in to Symantec Endpoint Protection Manager Console /SEPM.
2: Click "Policies"-->click "Application and Device Control" -->edit or create a new application policy--> click "Application Control" -->on the right panel , enable "Log writing to USB drives".
3: Click edit button to change "Log writing to USB drives" policy configuration.
4: Click "Log writing to USB drives" under "Log files written to USB drives" on the left panel.
5: Under "Properties" tab, choose which USB device will be used for this policy, the default is "*" which means all USB devices will have these settings applied.
6: Under "Actions" if you want to just log the creation, deletion or write attempts on USB devices, click "enable logging" under "create, delete or write attempt". If you want to log read attempts also, tick "enable logging" under "read attempt". You can also choose to block access, other options can be selected as desired.
7: Click "OK" twice and then left click this policy and assign this policy to groups
How to do I view the log of USB access?
1: Log into the SEPM
2: Click "Monitor" on the SEPM left coulmn
3: Click "Logs"
4: Choose "Application and device control" as log type, choose "Application control" as log content.
5: Choose the correct time range and click "View log" button
NOTE: You can find the same information from database table "DBA.AGENT_BEHAVIOR_LOG_2"