How to use Symantec Endpoint Protection to monitor file actions on a USB device
- Log in to Symantec Endpoint Protection Manager Console /SEPM.
- Click "Policies"-->click "Application and Device Control" -->edit or create a new application policy--> click "Application Control" -->on the right panel , enable "Log writing to USB drives".
- Click edit button to change "Log writing to USB drives" policy configuration.
- Click "Log writing to USB drives" under "Log files written to USB drives" on the left panel.
- Under "Properties" tab, choose which USB device will be used for this policy, the default is "*" which means all USB devices will have these settings applied.
- Under "Actions" if you want to just log the creation, deletion or write attempts on USB devices, click "enable logging" under "create, delete or write attempt". If you want to log read attempts also, tick "enable logging" under "read attempt". You can also choose to block access, other options can be selected as desired.
- Click "OK" twice and then left click this policy and assign this policy to groups
How to view the log of USB access
- Log into the SEPM
- Click "Monitor" on the SEPM left column
- Click "Logs"
- Choose "Application and device control" as log type, choose "Application control" as log content.
- Choose the correct time range and click "View log" button
NOTE You can find the same information from database table DBA.AGENT_BEHAVIOR_LOG_2