Showing results for 
Search instead for 
Did you mean: 

DLP - Block but don't tell us.

Afternoon All,

Apologies if this has already been asked - I've had a look through the forums and searches etc but not found anything.

Versions used:

McAfee Agent for Windows 4.8.0

VirusScan Enterprise 8.8.0

McAfee Data Loss Prevention 9.3.600.32

McAfee EPO 5.1.0

We currently have DLP deployed to block pretty much everything except the few devices we've whitelisted. We have an Automatic Response set up to send us an email whenever there is a "device plug" event uploaded from the agents, so we can look into the event and action as required (got to love security incident forms).

Since deploying it to a group of laptops, we are recieving 2 alert emails, along with an event in the DLP Incident Manager, every time one of the laptop users plugs in their USB printer - one for the printer itself and one for the printer's on-board card readers (i think).

Obviously we want the use of the card readers to be blocked, but we dont really want to hear about the printer every time someone uses one.

Is there a way to continue to block a device, but to set it to not create an alert for it?

I've tried looking into telling the automatic response to ignore the event if it is a specific device but the device details aren't in the available options on the filter page. Besides, this may prevent us getting the emails but will still mean there are events to action in the DLP Incident Manager.

Any help on this would be gratefully received.

Thanks in advance.

1 Reply

Re: DLP - Block but don't tell us.

Would it be easiest to 'throttle' the automatic response to only alert you once in a given time frame for the same rule triggering? You'd still get both alerts but only one email.

McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.