Our environment is SEPM / SEP version 14, and we have an Application and Device policy set up to log all USB file transfers, however we noticed the logging is inconsistent.
For example, someone in our robocopy'd 180,000 files to a USB HDD, however our Splunk only reported approx 300 files. I traced it back to SEPM14, it showed 300 files, then SEP client on their workstation showed only 300 files in the control log. I did some additional testing with some more robycopy / Windows Explorer copy (different users and workstations), and the client was only logging a very small subset of the files which were transferred.
We noticed the client control log was only set at 1MB in the policy, this has been increased to 9.999MB (max) and this has improved the logging a little, but it is only about 15/20% of total files.
Is there something incorrect with our policy, or client config? Surely SEP14 client has the ability to correctly log all file transfers?
Additionally, the logging only reports "Parameter D:/USB-Copy-Test/taskmgr.exe", which says the file copied was "D:/USB-Copy-Test/taskmgr.exe", but it doesn't log where the files were copied from.
For example, if someone copies a heap of corporate information onto an external HDD, the process doesn't show where it originated from, so the security team don't know which business group owns the data, or if pirate media is hidden on our network drives somewhere.
Is there a way to get the "source file / locate" into the logs?
