Submit a ticketCall us

Quickly Address Software Vulnerabilities
Patch Manager is an intuitive patch management software which extends the capabilities of WSUS and SCCM to not only patch Windows® servers and workstations, and Microsoft® applications, but also other 3rd-party applications which are commonly exploited by hackers. Learn more about our patch management solution.

 

Home > Success Center > Log & Event Manager (LEM) > Prevent a user from stopping the USB Defender service

Prevent a user from stopping the USB Defender service

Table of contents

Updated February 14, 2017

Overview

Users in your environment have administrator access and are able to disable their SolarWinds Log and Event Manager USB Defender service so they can attach their USB devices.

 

It is possible for you to remove certain permissions from the service to prevent them from adjusting it, that falls far into Windows territory, so we'll be covering alternative responses you can configure on your LEM.

Environment

  • All LEM versions
  • USB Defender installed on Windows hosts
  • Users of those hosts have access to stop services

Steps

Using ServiceStop events, we can easily clone a rule template to monitor for USB Defender stoppage and perform actions such as automatically restart the service or send an email alert to you.

  1. Go to Build > Rules and search for USB.
  2. Locate the USB-Defender Service Stopped template in the bottom section, click the gear icon, and clone it.
  3. Choose a user to receive the email alert in the Users dropdown.
  4. If you want to automatically restart the service, drag the Start Windows Service action from the Actions section on the left to below the Send Email Message action on the right.
  5. Populate the Agent and Service Name boxes in that section for this to function.
    1. Expand the Events section in the top left corner and locate the ServiceStop event.
    2. Drag the InsertionIP field from the Fields section on the left to the Agent box on the right.
    3. Drag the ServiceName field from the Fields section on the left to the Service Name box on the right.
    4. Save and then Activate the rule.

 

 

 

 

 

Last modified
00:50, 15 Feb 2017

Tags

Classifications

Public