CSA 5.2: Logging removable media

Unanswered Question
Feb 10th, 2010

We are currently using CSA 5.2 and I'm trying to figure out a way to log whenever a user attempts to use removable media on the network. Specifically, USB flash drives. I know there is already a data theft prevention module that protects sensitive data and applications, but I'm trying to log any and all access, even if they just plug the drive in and do nothing with it. Is this even possible? If not, is it possible with newer versions?

Thank you,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tsteger1 Thu, 02/18/2010 - 15:22

Create a file set called USB







Create a File Access Control rule and set it to monitor this file set and you should see all USB drives plugged in to your hosts.


JayB1rd76 Fri, 02/26/2010 - 10:26

Thanks Tom,

I'm pretty sure I tried something similar before, but I tried it exactly as you've shown here and I still get nothing. I tried plugging a usb drive into a pc while logged in as a regular user and CSA still didn't pick anything up. I've attached a screenshot of the rule as I created it. What I was unsure of was what I should set the enforcement action as and what to set the Application Class as:

In this case I've set the Application Class as "All Applications" and "Applications on Removable Media" . In both cases, I couldn't get CSA to detect anything for USB drives.

Thanks again,


tsteger1 Mon, 03/01/2010 - 17:26

It would need to be and the fileset would need to be as I described it.

It is working for me on 5.2.262.

Here are screenshots of my rule and fileset.

JayB1rd76 Mon, 03/08/2010 - 11:28

I set mine up exactly as your screenshots show. Still nothing. I'm using 5.2.203. I think it may be that I need to update our version.

tsteger1 Mon, 03/08/2010 - 13:19

Well, I can't explain it.

You can check the release notes to see if something like that was fixed in later versions.

You may also have something else stepping on it.


This Discussion