Monitoring usage of removable drives

Monitoring usage of removable drives includes:

• Monitoring operations on files on removable drives.
• Monitoring connection and disconnection of trusted removable drives.

  Kaspersky Endpoint Security allows monitoring connection and disconnection of all trusted devices and not only removable drives. You can turn on event logging in notification settings for the Device Control component. Events have the Informational severity level.

To enable monitoring of removable drive usage:

1. In the main application window, click the button.
2. In the application settings window, select Security Controls → Device Control.
3. In the Access settings block, click the Devices and Wi-Fi networks button.

   The opened window shows access rules for all devices that are included in the Device Control component classification.

4. In the Access To Storage Devices block, select Removable drives.
5. In the window that opens, select the Logging tab.
6. Turn on the Logging toggle.
7. In the File operations block, select the operations that you want to monitor: Write, Delete.
8. In the Filter by file formats block, select the formats of files whose associated operations should be logged by Device Control.
9. Select the users or group of users whose use of removable drives you want to monitor.
10. Save your changes.

As a result, when users write to files located on removable drives or delete files from removable drives, Kaspersky Endpoint Security will save information about such operations to the event log and send events to Kaspersky Security Center. You can view events associated with files on removable drives in the Kaspersky Security Center Administration Console in the workspace of the Administration Server node on the Events tab. For events to be displayed in the local Kaspersky Endpoint Security event log, you must select the File operation performed check box in the notifications settings for the Device Control component.

Page top