Submit a ticketCall us

ebook60.pngHow to be a Cisco® ASA ace

Our eBook, Thou Shalt Not Pass…I Think?! can help you overcome the challenges of monitoring and managing Cisco ASA firewalls. This eBook is a great read if you’ve been frustrated with monitoring firewalls, managing ACL configs, and troubleshooting VPN connections.

Get your free eBook.

Home > Success Center > Log & Event Manager (LEM) > USB devices do not detach with USB Defender (LEM)

USB devices do not detach with USB Defender (LEM)

Created by Jason Dee, last modified by Kevin.Kessler-ret on Apr 27, 2017

Views: 1,427 Votes: 0 Revisions: 8

Overview

A LEM rule fired to alert you of a USB device attachment, but the USB device was not detached as it should have been.

 

Environment

All LEM versions

 

Cause 

  • Your rule may not be configured with a Detach USB Device action.
  • No Windows Active Response connector is configured or running for that agent.

 

Resolution

Verify that the rule that sent the alert also tried to detach the device:

  1. Go to nDepth and do a search for the following condition during the time frame of the email alert you received: InternalRuleFired.EventInfo=*USB*
  2. Find the rule fired event that should have detached the device and highlight it.
  3. Click on the Explore dropdown on the top right corner and choose Event.
  4. Verify that there is an InternalCommands event listed that has "Initiated Action: Detach USB Device" for the EventInfo.

 

Verify that there is a Windows Active Response connector configured for the affected agent:

  1. Go to Manage > Nodes and locate the agent in question.
  2. Click on its gear icon and go to Connectors.
  3. Search for the Windows Active Response connector and make sure you have an active connector with a green icon. If you do not, click on the gear next to it and create a new one.

 

Verify the Detach Unauthorized USB Device rule has the correct settings. It should appear as below:

 

 

 

 

 

Last modified

Tags

Classifications

Public