Alert when USB key is connected

Hi,

We recently published policy forbidding USB key use on all company computers.  It appears that some users are ignoring the policy and continuing to use it and infecting computer with viruses.  We are using SEP 11.0.5021.385 and and it appears that device control portion of the software can block some or all USB keys.

At this point we don't to star actively blocking USB devices but would like to setup some type of an alert that when an external storage device is connected an administrative alert is generated. Is anyone aware if this is possible and how ?

Thank you,
Alex
alexL3Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mrroonieCommented:
you don't need symantec to do it - you could block use of them via group policy - http://www.petri.co.il/disable_usb_disks_with_gpo.htm



this may help too - http://support.microsoft.com/default.aspx?scid=kb;en-us;823732
0
mrroonieCommented:
sorry, missed the first line of my post - not sure of any program that would alert you to their use, it would only be on the actual pc
0
jhalapradeepCommented:
Hi,

First of all make sure the policy is setup as mentioned in this document:

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/b54beb2f46268ccc882574e80052960f?OpenDocument

using Device ID or fingerprint will be  more effective in this type of cases:

=> For notification:
1) You can schedule a report or monitor it from monitors tab,
2) Once on monitor's tab.. select logs, and select type as application and device control.
3) Now select device control and click on view log it will show you activities for device control
4) You can also schedule a report for  the same from reports tab.
5) From monitors tab you may configure the notification condition for this activity as well. so that a mail can be sent to a specified addres..
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008031219333348

regards,
Pradeep Jhala
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

alexL3Author Commented:
jhalapradeep:

Is it possible to allow all drives and only generate an alert?  

0
jhalapradeepCommented:
Hi,

Basic thing is that to get the alert or notification, there should be an application and device control policy enabled on the clients.
And in device control, you have option to block device and log blocked device but no logging for allowed device.
-> Still what you can do is you can use application control policy and select the appropriate action for the USB activity.
-> you in advanced you can also slect multiple options, like launch attemp, dll attempts and then in action field you can select "allow" and then also log the event or sent email option.

If you want to enable email notifications for application and device control events please follow these steps:
1) Create a device control policy to block USB.
2) Now goto monitors tab
3) Click on notification and click on Notification conditions button
4) Now click on add and select Client security Alert option
5) When this window opens, you will find application control events and device control events.
6) So once configured, whenver there is such event an email will be sent to configured email id.

Regards,
Pradeep Jhala
0
jimmymcp02Commented:
in case you have not configure your sep manager to connect to a mail server follow this kb
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008032116480748 
0
xmachineCommented:
0
alexL3Author Commented:
None of these solutions, while good and helpful in getting me in the right direction, actually solved my issue... but Thanks all.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.