Submit a ticketCall us

Welcome to the NEW Success Center. Search all resources (documentation, videos, training, knowledge base articles) or browse resources by product. If you are unable to find what you are looking for, please contact us at customersuccess@solarwinds.com

 

 

 

 

Home > Success Center > Log & Event Manager (LEM) > USB devices do not detach with USB Defender

USB devices do not detach with USB Defender

Created by Jason Dee, last modified by MindTouch on Jun 23, 2016

Views: 985 Votes: 0 Revisions: 7

Overview

A rule fired to alert you of a USB device attachment, but the USB device was not detached as it should have been.

 

Environment

All LEM versions

 

Cause 

  • Your rule may not be configured with a Detach USB Device action.
  • No Windows Active Response connector is configured or running for that agent.

 

Resolution

Verify that the rule that sent the alert also tried to detach the device:

  1. Go to nDepth and do a search for the following condition during the time frame of the email alert you received: InternalRuleFired.EventInfo=*USB*
  2. Find the rule fired event that should have detached the device and highlight it.
  3. Click on the Explore dropdown on the top right corner and choose Event.
  4. Verify that there is an InternalCommands event listed that has "Initiated Action: Detach USB Device" for the EventInfo.

 

Verify that there is a Windows Active Response connector configured for the affected agent:

  1. Go to Manage > Nodes and locate the agent in question.
  2. Click on its gear icon and go to Connectors.
  3. Search for the Windows Active Response connector and make sure you have an active connector with a green icon. If you do not, click on the gear next to it and create a new one.

 

Verify the Detach Unauthorized USB Device rule has the correct settings. It should appear as below:

 

 

 

 

 

Last modified
20:24, 22 Jun 2016

Tags

Classifications

Public