cancel
Showing results for 
Search instead for 
Did you mean: 

DLP log copied files to removable media

Jump to solution

Hello. I currently have a rule set that has two rules:

1. Removable Storage Protection. Any data, any user, any application, outgoing to removable media. I have no action on it other than Report Incident checked.

2. Removable Media Storage Device rule to make all removable storage Read-Only.

When a client goes into bypass mode, I do not get anything in the Incident Manager for a file copy which is supposed to be logged and covered by my first rule.

The second rule does log in the Incident Manager when a device is plugged in.

Any idea why the data/file isn't be logged that is copied?

 

Many thanks,

Shane

1 Solution

Accepted Solutions

Re: DLP log copied files to removable media

Jump to solution

I have figured this out. In my Windows Client Configuration policy, under Opertaional Mode and Modules, I did not have the Reporting Service or Removable Storage Protection Advanced Options enabled.

3 Replies

Re: DLP log copied files to removable media

Jump to solution

Hi Shane,

     Client entering bypass mode will bypass all DLP policy

     In your case, I do suggest you can add a Removable device exception list other than using bypass mode

Tony

 

Re: DLP log copied files to removable media

Jump to solution

Hi Tony,

I have added an AD group at the Policy level under Settings > Privileged Users. I have test this with the ruleset in that policy. The Device Control Rule for Read-Only is still logged as an Incident when a device is plugged in with a priveleged user. However, my other Data Protection Rule to log copied files does not record an incident when a file is copied.

The set-up is:

Condition (tab)

Classification: is any data (ALL)
and End-User: is any user (ALL)
and Application copying the file: is any application (ALL)
and Copy Direction: Outgoing - Copy or Save to removable storage
and Removable Media: CD and DVD devices, Removable Storage devices

Nothing on the Exceptions tab.

Reaction (tab)

Action: No Action
User Notification: [blank]
Report Incident: Report Incident

What am I missing here?

Re: DLP log copied files to removable media

Jump to solution

I have figured this out. In my Windows Client Configuration policy, under Opertaional Mode and Modules, I did not have the Reporting Service or Removable Storage Protection Advanced Options enabled.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community