UpPrevious Next
Sheriff CSMâ„¢
USB Device Monitoring on Windows Systems
In Sheriff CSM version 5.3, Host Intrusion Detection System (HIDS) rules and plugins have been updated to capture USB device events on Windows machines.
Configuration Changes on the HIDS Agent
If you are deploying Sheriff CSM version 5.3 or later, you do not need to do anything. This feature is enabled by default.
If you are updating to Sheriff CSM version 5.3 or later from a previous version, and you want to use the USB device detection feature, you need to do one of the following:
- On the host you wish to monitor, remove the existing HIDS agent and redeploy it. For instructions, see Deploy Sheriff HIDS Agents to Windows Hosts.
- Alternatively, you can change the configuration on Windows manually, as detailed below.
Change the Configuration on Windows Manually
Since full_command must be configured in each Windows system's
ossec.conf
file, you need to change the HIDS agent configuration on each Windows machine that you want to monitor USB devices.
To change the configuration on the client machine:
-
Go to C:\Program Files (x86)\ossec-agent.
- Open
ossec.conf
with a text editor.
-
Locate the line "<ossec_config>" and add the following configuration right below that line:
<localfile>
<log_format>full_command</log_format>
<command>wmic logicaldisk where drivetype=2 get deviceid, description, FileSystem, Size, VolumeSerialNumber</command>
<frequency>60</frequency>
</localfile>
Your configuration file should look similar to this: 
Some customers have reported that the wmic command above does not work in their environment. Sheriff has not been able to reproduce the problem but suspect that it may be related to newer HIDS versions or older Windows versions. If you run into the same issue, try using the following command instead:
<command>wmic logicaldisk where "drivetype=2 AND NOT deviceid like "a\"" get deviceid, description, !FileSystem, Size, VolumeSerialNumber</command>
-
Launch the win32ui
application located in the same directory.
- Select Manage.
- Click Restart.

Verification
Once USB activity has been detected on that host, you should be able to see new Sheriff HIDS events with the event name
Sheriff HIDS: New USB Device Found. And the Event Details pane includes information about Drive, FileSystem, Size, and Serial Number:
Sheriff Vigilante Limitations: Both Sheriff Vigilante and the Sheriff CSM HIDS decoders are fully featured, with all of their information coming from the Plugin Feed Updates that Sheriff CSM and Sheriff Vigilante provide. However, Sheriff Vigilante lacks the depth of NIDS information that is provided to Sheriff CSM through the Threat Intelligence Updates.