Submit a ticketCall us

Solarwinds & Cisco Live! Barcelona
Join us from the 29th of January to the 2nd of February at Cisco Live 2018 in Barcelona, where we will continue to show how monitoring the network with SolarWinds will keep you ahead of the game. At our booth (WEP 1A), we will demonstrate how SolarWinds network solutions can help. As a bonus, we are also hosting a pre-event webinar - Blame the Network, Hybrid IT Edition with our SolarWinds Head Geek™, Patrick Hubbard on January 24th - GMT (UTC+0): 10:00 a.m. to 11:00 a.m. There's still time to RSVP.

Home > Success Center > Archive > 2017October27 - Deletes > Using the Detach USB Device Active Response

Using the Detach USB Device Active Response

Created by Caroline Juszczak, last modified by Kevin.Swinson on Oct 27, 2017

Views: 629 Votes: 0 Revisions: 6

Use the Windows active response to detach a USB device from a LEM agent running USB Defender. This action is useful for allowing only specific devices to be attached to your Windows computers or detaching any device exhibiting suspicious behavior, and can be automated in a LEM rule, or executed manually from the Respond menu in LEM Console > Node List.

USB Defender is an option when the agent is originally installed. If not installed at the time of agent install, re-install the agent with USB Defender. Additionally, configure the Windows Active Response tool on each LEM agent where you require an active response.

Verify that USB Defender is installed on a LEM agent

  1. Open your LEM console and log in to your LEM Manager as an administrator.
  2. Click the Manage > Nodes.
  3. If you have a long list of nodes, filter your list using the Node, OS, or USB drop-down menus.

    You can install USB Defender only on Windows agents.

  4. Locate File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/070/icon-usb.png in the USB column, indicating that USB Defender is installed on the node.
  5. If USB Defender is not installed on one or more LEM agents, reinstall the agent and ensure that you select Install USB-Defender after you confirm the Manager Communication Settings.

Configure the Windows Active Response connector on a LEM agent

  1. Open your LEM Console and log in to your LEM Manager as an administrator.
  2. Click Manage > Nodes.
  3. Locate the LEM agent that requires a new connector.
  4. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/070/Button-Gear_18x15.png next to the agent and select Connectors.
  5. Enter Windows Active Response in the Refine Results search box.
  6. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/070/Button-Gear_18x15.png next to the connector and select New.
  7. Enter a custom alias name for the new connector, or accept the default.
  8. Click Save.
  9. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/070/Button-Gear_18x15.png next to the new connector and select Start.
  10. Click Close to exit the Connector Configuration window.

Detach USB devices

By default, USB devices are audited and the USB File Audit Activity filter will display those events. The filter is set for FileAuditAlerts.ProviderSID=*USB* To monitor all USB device activity, create a filter for AnyAlert.ProviderSID=*USB*

USB devices are not detached by default. You must configure a rule to detach the device. The Templates grid includes several templates you can clone and modify as needed.

You can enforce USB Defender policy locally using the USB Defender local policy connector.

Last modified

Tags

Classifications

Public