Reports for Symantec Endpoint Protection Device Control


I am looking for a easy way to get reports from Symantec Endpoint Protection, Device Control part. To be more specific, we have a policy that enable logging of saving files to USB device and also for blocking USB (for some of the users). Now, we would like to get a nice report about who tried to save what and also who tried to attach USB. Is there any tool or way to get this kind of reports?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ehab SalemIT ManagerCommented:
Unfortunately, although SEP is very powerfull in such options, it has very limited reporting capabilities (as far as I know).
But you can get all the details you want via the logs. You can save filters, run it periodically and export it to Excel to make further filtering.
vvladaAuthor Commented:

Thank you for your comment. I need some way to get automated reports. Any idea is more then welcome!

Best regards,
Ehab SalemIT ManagerCommented:
I don't know a way you can automate a report for files written to USB drives, but if you use SQL server (not the embedded DB), you can use the SQL reporter, or create jobs to do that.
If you use the embedded DB, you can try the following link to create ODBC then create the reports using Access for example.
None of the ADC reports provide user information unfortunately. You can filter on a User in the report so you can generate one for a specific user, but you won't see a list of users in the report itself. If you find one of the two available reports useful, then you can schedule them to be emailed automatically.

1. Logon to the console.
2. Click on Reports.
3. Under Quick Reports, choose Application and Device Control as the Report type.
4. Choose Top Targets Blocked or Top Devices Blocked as the Report.
5. Specify a Time range.
6. Click Advanced Settings >>.
7. Enter specifics for any of the filters if you want to narrow down the report.
8. Click Create Report.

To obtain more detailed information you'll have to view the log content under the Monitors tab. Below is a sample of what information is provided there.

Domain name: Default
Site name: Lab
API: File Read
Action: Block
Test mode: No
Windows Domain: Lab
User: Test_user
Server name: seplabsrv001
Group name: My Company\Desktop\ADC Test
Computer Name
   Current: seplabwks001
   When event occurred: seplabwks001
Event type: Application Control Rules
Event time: 04/06/2011 07:46:03
Severity: Info
Begin time: 04/06/2011 07:44:59
End time: 04/06/2011 07:44:59
Rule name: File and Folder Access Attempts_Read File
Alert: No
Send SNMP trap: 0
Caller Process ID: 1008
Caller Process Name: C:/WINDOWS/Explorer.EXE
Target: Z:/AutoRun.inf
User name: Test_user
Description: Block access to autorun.inf.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.