Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
977 Views 2 Replies Latest reply: Nov 14, 2012 12:10 PM by georgec RSS
mcafeee Newcomer 40 posts since
May 6, 2009
Currently Being Moderated

Oct 31, 2012 4:28 AM

cd-rw usage



Can anyone advise on the best way to monitor usage of cd-writers though DLP, just to see who is using them, and if possible what they are writing (just the file names) ?



  • epository Apprentice 89 posts since
    Jan 23, 2010
    Currently Being Moderated
    1. Nov 14, 2012 6:18 AM (in response to mcafeee)
    Re: cd-rw usage

    You have to create a Device Definition in DLP Policy for CD/DVD drives.


    then you have to create a Device Rule and include the CD/DVD drives and set it to Monitor.


    Now, you can either use Active Directory and create a User Access Group under DLP Policies and add the "Everyone" group or you can create a DLP Computer Assignement Group policy and assign it to the root of your System Tree.


    These should tell you when a CD/DVD is accessed on a computer.


    That being said, it wont tell you if files were copied to or from the CD and it wont track which files were burned.



    Its best to just create a CD/DVD Device rule and make all the devices read-only and create a security group in AD to put authorized users into.  Your CIO should write up a policy for this.

  • georgec Champion 244 posts since
    Sep 9, 2010
    Currently Being Moderated
    2. Nov 14, 2012 12:12 PM (in response to mcafeee)
    Re: cd-rw usage

    You need to do an inventory of the cd/dvd burner applications and identify the processes that access the disk when writing files. process monitor is a goot tool for doing this


    One you have a list of the applications, you can create an application protection rules that monitor the cd/dvd writing processes that access data from the disk. The downside is that if someone writes a lot of files, you'll get a hell lot of events. (one per file)



    Using device control rules will create one event when the system boots and loads the cd/dvd drivers, but that's about it, you don't get information about what was copied. Removable storage protection rule doesn`t cover the cd/dvd.


    Message was edited by: georgec on 11/14/12 12:12:35 PM CST

More Like This

  • Retrieving data ...

Bookmarked By (0)


  • Correct Answers - 5 points
  • Helpful Answers - 3 points