SEP is a unique product which allows you to create effective application and device control policies to stop threats. Today I'm going to show you how to log applications which run from removable drives and receive a scheduled report by e-mail. Such a report will proactively assist in detecting new malware samples which passed through SEP undetected.
SEPM uses two types of databases, embedded or SQL server. This article will cover "MS SQL 2005" since the customized query requires some built-in procedures which are not available in the embedded DB. To start working you need to do the following:
1) Configure MS SQL 2005 Database Mail
2) Import "Log programs which run from removable drives" application control policy (Attached)
Enable the policy and assign to a SEP group which you want to monitor USB activity
3) Import MS SQL Query (Attached)
It may take some time to get the first results, so it depends on users' USB activity. You can copy some applications on your USB and plug it in any computer (it should be a member of a group which has the "Application Control" policy) then run them one by one. After 5-10 minutes open MS SQL Management Studio and execute the SQL query. What do you have now?
4) Import MS SQL Query - HTML (Attached)
It does the same thing except it will send the query results to a defined recipient in the query formatted in HTML / XML
5) To schedule the query you should create a new SQL Job
In SQL Server Management Studio, expand the tree...
<SQL Server Name>
SQL Server Agent
Right click the Jobs node to add a new one .
The final result:
Thank you for giving this solution .
Great Worksround Solution !!!!
will be helpfull in corporate networks.