hope that someone can help me with DLP 9.1
I have the following constellation:
- ePO Server is 4.5 Patch 3 on Windows Server 2008 SP2 (32 Bit) and McAfee Agent 4.5 Patch 1
- SQL DB is on a different Server (MS SQL 2008)
- SQL Connection is using Windows-Authentication
- We use a user called "DOMAIN\virusscan" which is DB-Owner to connect to the SQL DB
- I created a policy to denie all removable USB devices and: block, monitor and inform the user
When I change the DLP Policies, I can see in the DLP Monitor that "the policy was applied".
When I connect a usb device on the pc, the device is blockt and also the user is informed about it.
Now I open the McAfee Agent Status Monitor and collect and send the events. I see in the Agentlog of the Client that the system sends events to the ePO server.
But I do not see this DLP Client-Events in the DLP Monitor.
Also I have verified the WCF Service Test-Page. Everything is quite good.
Hopefully someone can help me with this issue.
I also tracked a SR @ McAfee Gold Support on 11.01. but until now I got no solution for it... :-(
Have you check that the Evidence Share is set correctly for the Agents and then check the permissions on the server again and make sure you have given the computers write access to this.
Have McAfee been sent the MER data for DLP yet?
yes, I already sent the MER data to McAfee.
But perhaps there is a misunderstanding. I do not have configured "to save the copied files in the evidence".
I only what to see the Client-Events which device was blockt (Product/Vendor ID of the removable drive). But this does not work. :-(
onlineNachricht geändert durch online83 on 24.01.11 18:09:58 MEZ
OK, I have seen a similar issue to this and it was down to the WCF service account not having the correct SQL permissions and although the testing page worked it was still missing some permissions.
Have you check thed database to see if any events are stored in there?
TOP 100 *
FROM [ePO4_SERVERNAME].[dbo].[DLP_EventInfoView] Where EventTypeDisplayName = 'Devices: Device Plug'
The User-Account which we use within the WCF Service is DB-Owner of the Database.
I think a DB-Owner should have enough rights, or not?
Is there any possibility to get debug-logfiles of the WCF Service?
At the moment I am not in the office. Sorry, I have to run the SQL query later.
onlineNachricht geändert durch online83 on 25.01.11 17:00:26 MEZ
I did the select query, but I do not get any event.
But "administrative events" (change of the dlp policy) are located in this sql table.
Ok this shows that the events are not getting to the database then.
Is DLP installed on many machines? or are you just testing this at the moment?
yes, but why are the "administrative events" in it and the "client events" not.
I see that the mcafee agent sends events to the ePO server, after a device was blocked, but nothing is in the DB... strange
I also did the following:
Installed a Windows2008R2 64Bit Server
Installed a SQL Windows 2008R2 Express DB
Installed ePO 4.5
Installed DLP 9.1
exported the DLP Policy from the "not working" ePO and import it to the testing ePO.
pushed the agent to a client system, rebooted and insert an usb drive
send events => I can see the "client events".
But that is not what we want :-) We would like to use our central SQL Server...
At the moment we only use two pc's with DLP installed.
We would like to use it as soon as possible, but before the issue must be fixed
What can we do now?
Is there no possibility to enable debug loggin on the WCF?
Not sure about debugging levels for DLP its certainly something that McAfee should be helping you with.
One thing you can do though is in ePO select Menu -> Reporting -> Threat Event Log, Filter this to a machine with DLP and see if you get any events in there.