I would like to request a change in Symantec Endpoint Protection client (SEP) and Symantec Endpoint Protection Manager (SEPM) to allow the Administrator to change the Severity level on Enabled USB devices so that SEP will send a notification back to SEPM that can generate an email alert, similar to the way SEP communicates a DISABLED USB device. In my production clients, I periodically see alerts/notifications from SEPM that a USB Device has been disabled. Within about 60 seconds (approx.) after the device is disabled, SEP will enable the device, only notifying the fraudster standing in front of the PC that the device has been enabled. SEP does not pass a message back to SEPM that this has happened. I believe this is because enabled USB devices is hard coded to a severity level 2, which results in no message being passed back to SEPM and subsequently, SEPM does not push out an alert via email to the administrator.
In my experience with SEP/SEPM, I have seen notifications come through for HP laserJet P1102W, P1606 printers, wireless keyboard and mouse adapters, webcams, document imagers, receipt printers, etc. that connect via usb, that SEP/SEPM are reporting as disabled, however when I remotely connect to the endpooint, I find the device is functioning fully. It is extremely difficult to determine when SEP disables a device as it should, and when it temporarily disables a device. I literally have to follow up behind SEP every time it notifies me of a disabled device and confirm whether the device was actually disabled permanently, or just temporarily. Having this “enabled” notification for previously disabled devices would be a tremendous re-assurance that my supermarkets are really protected against malicious USB devices being attached to my company-owned equipment.