• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2359
  • Last Modified:

Reports for Symantec Endpoint Protection Device Control


I am looking for a easy way to get reports from Symantec Endpoint Protection, Device Control part. To be more specific, we have a policy that enable logging of saving files to USB device and also for blocking USB (for some of the users). Now, we would like to get a nice report about who tried to save what and also who tried to attach USB. Is there any tool or way to get this kind of reports?

  • 2
2 Solutions
Ehab SalemIT ManagerCommented:
Unfortunately, although SEP is very powerfull in such options, it has very limited reporting capabilities (as far as I know).
But you can get all the details you want via the logs. You can save filters, run it periodically and export it to Excel to make further filtering.
vvladaAuthor Commented:

Thank you for your comment. I need some way to get automated reports. Any idea is more then welcome!

Best regards,
Ehab SalemIT ManagerCommented:
I don't know a way you can automate a report for files written to USB drives, but if you use SQL server (not the embedded DB), you can use the SQL reporter, or create jobs to do that.
If you use the embedded DB, you can try the following link to create ODBC then create the reports using Access for example.
jmlambTechnical Account ManagerCommented:
None of the ADC reports provide user information unfortunately. You can filter on a User in the report so you can generate one for a specific user, but you won't see a list of users in the report itself. If you find one of the two available reports useful, then you can schedule them to be emailed automatically.

1. Logon to the console.
2. Click on Reports.
3. Under Quick Reports, choose Application and Device Control as the Report type.
4. Choose Top Targets Blocked or Top Devices Blocked as the Report.
5. Specify a Time range.
6. Click Advanced Settings >>.
7. Enter specifics for any of the filters if you want to narrow down the report.
8. Click Create Report.

To obtain more detailed information you'll have to view the log content under the Monitors tab. Below is a sample of what information is provided there.

Domain name: Default
Site name: Lab
API: File Read
Action: Block
Test mode: No
Windows Domain: Lab
User: Test_user
Server name: seplabsrv001
Group name: My Company\Desktop\ADC Test
Computer Name
   Current: seplabwks001
   When event occurred: seplabwks001
Event type: Application Control Rules
Event time: 04/06/2011 07:46:03
Severity: Info
Begin time: 04/06/2011 07:44:59
End time: 04/06/2011 07:44:59
Rule name: File and Folder Access Attempts_Read File
Alert: No
Send SNMP trap: 0
Caller Process ID: 1008
Caller Process Name: C:/WINDOWS/Explorer.EXE
Target: Z:/AutoRun.inf
User name: Test_user
Description: Block access to autorun.inf.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now