cancel
Showing results for 
Search instead for 
Did you mean: 
sidene
Level 8
Report Inappropriate Content
Message 1 of 4

DLP 11.2 Incidents missing and not reported where no action is configured

Hi All,

I have setup DLP Endpoint for our network

Initial requirement was to notify IT manager about users connecting USB drives to laptops

I have configured DLP rule to report incident and take no action when a user connects USB to windows laptop

Also i had a test rule which blocked the USB access for a test laptop

Then i created an automatic mail notification to send DLP incidents

Now these things happened

  1. Configured USB block policy on test machine and the incidents were reported in the incident manager
  2. Configured monitoring policy to report USB plug and no incidents were updated in the incident manager. i know devices were connected because i have automatic responses configured from ENS Exploit prevention to report USB plugs
  3. Configured email notifications to send emails for all incidents. Yesterday one laptop was installed with DLP and assigned monitoring policy (not blocking) and i received the email
  4. When i checked today, no incidents were reported for that laptop
  5. Also i checked again with another laptop by connecting USB multiple times, but no emails came and no incidents reported
  6. i checked the server task log and it shows task processed with no events

Can you please give some light towards what to do in this situation

 

thanks

Sid

McAfee ePolicy Orchestrator 

 

 

 

3 Replies
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: DLP 11.2 Incidents missing and not reported where no action is configured

The first thing to check is if there are any errors in the agent logs regarding getting events from dlp and/or sending them to epo.  The masvc log will show communication and macompatsvc log will show issues with the agent and point product communications.  c:\programdata\mcafee\agent\logs.

You would then need to possibly check with dlp team for anything else. 

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

sidene
Level 8
Report Inappropriate Content
Message 3 of 4

Re: DLP 11.2 Incidents missing and not reported where no action is configured

Can you move it to DLP section?

 

thanks

Sid

McAfee Employee DLP_RS
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: DLP 11.2 Incidents missing and not reported where no action is configured

So if I understand correctly, the issue is related to the below scenario--

"Configured monitoring policy to report USB plug and no incidents were updated in the incident manager. i know devices were connected because i have automatic responses configured from ENS Exploit prevention to report USB plugs".

 

If a device having a reaction(Monitor), it will still be creating events\incidents. On a single machine, please create a new rule in a ruleset and a new policy. Now check if the Monitor Only rule is triggering. If needed, you can remove DLP client and re-deploy it before assigning the new DLP Policy.

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community