02-10-2010 12:03 PM - edited 03-10-2019 04:53 AM
We are currently using CSA 5.2 and I'm trying to figure out a way to log whenever a user attempts to use removable media on the network. Specifically, USB flash drives. I know there is already a data theft prevention module that protects sensitive data and applications, but I'm trying to log any and all access, even if they just plug the drive in and do nothing with it. Is this even possible? If not, is it possible with newer versions?
Thank you,
Jason
02-18-2010 03:22 PM
Create a file set called USB
Directories:
Include
@removable:\**
Exclude
@floppy:\**
@cd:\**
@network:\**
Files
Create a File Access Control rule and set it to monitor this file set and you should see all USB drives plugged in to your hosts.
Tom
02-26-2010 10:26 AM
Thanks Tom,
I'm pretty sure I tried something similar before, but I tried it exactly as you've shown here and I still get nothing. I tried plugging a usb drive into a pc while logged in as a regular user and CSA still didn't pick anything up. I've attached a screenshot of the rule as I created it. What I was unsure of was what I should set the enforcement action as and what to set the Application Class as:
In this case I've set the Application Class as "All Applications" and "Applications on Removable Media" . In both cases, I couldn't get CSA to detect anything for USB drives.
Thanks again,
Jason
03-01-2010 05:26 PM
03-08-2010 11:28 AM
I set mine up exactly as your screenshots show. Still nothing. I'm using 5.2.203. I think it may be that I need to update our version.
03-08-2010 01:19 PM
Well, I can't explain it.
You can check the release notes to see if something like that was fixed in later versions.
You may also have something else stepping on it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide