Kaspersky Endpoint Security 12 for Windows

Monitoring usage of removable drives

April 25, 2024

ID 134053

Monitoring usage of removable drives includes:

  • Monitoring operations on files on removable drives.
  • Monitoring connection and disconnection of trusted removable drives.

    Kaspersky Endpoint Security allows monitoring connection and disconnection of all trusted devices and not only removable drives. You can turn on event logging in notification settings for the Device Control component. Events have the Informational severity level.

To enable monitoring of removable drive usage:

  1. In the main application window, click the Application settings icon in the form of a gear wheel. button.
  2. In the application settings window, select Security ControlsDevice Control.
  3. In the Access settings block, click the Devices and Wi-Fi networks button.

    The opened window shows access rules for all devices that are included in the Device Control component classification.

    Window for configuring access to devices. The user can configure access to devices, and set additional access parameters, such as the access schedule.

    Types of devices in the Device Control component

  4. In the Access To Storage Devices block, select Removable drives.
  5. In the window that opens, select the Logging tab.

    The window for configuring the logging of events about the use of removable drives. The user can select the events to be logged.

    The settings of removable drive usage monitoring

  6. Turn on the Logging toggle.
  7. In the File operations block, select the operations that you want to monitor: Write, Delete.
  8. In the Filter by file formats block, select the formats of files whose associated operations should be logged by Device Control.
  9. Select the users or group of users whose use of removable drives you want to monitor.
  10. Save your changes.

As a result, when users write to files located on removable drives or delete files from removable drives, Kaspersky Endpoint Security will save information about such operations to the event log and send events to Kaspersky Security Center. You can view events associated with files on removable drives in the Kaspersky Security Center Administration Console in the workspace of the Administration Server node on the Events tab. For events to be displayed in the local Kaspersky Endpoint Security event log, you must select the File operation performed check box in the notifications settings for the Device Control component.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.