cancel
Showing results for 
Search instead for 
Did you mean: 
eg123
Level 9
Report Inappropriate Content
Message 1 of 5

DLPe: questions on how to purge DLP evidence

Hi Guys,

after doing a lot of google search i was still not sure the procedure on how to purge DLPe evidence via ePO server task.

below is short summary of my understanding on how to purge DLPe evidence:

Step1, create a purge incidents task under ePO-> DLP Incident Manager-> Incident Tasks-> Data in-use/motion - History

Step2, run the "DLP Purge History of Operational Events and Incidents" server task under ePO-> Server Tasks, then the associated evidence are marked for deletion and moved to pendingDelete folder

Step3, as per DLPe product guide, those evidence in pendingDelete folder will be deleted permanently after 2 months.

 

question 1: is the above steps correct?

question 2: the ePO server task "DLP delete unassociated evidence files" is used to delete evidence generated by early versions of DLPe (11.0.300 and earlier), is it correct?

question 3: if those evidence not required by another incident or operational event in the database, and if i run "DLP purge evidences", the evidence in the pendingDelete folder will be deleted immediately right?

btw sorry for so many questions, i'm also testing in my lab but failed, per the orion.log seems there has issues with my DLPe database table... so i would like to have your suggestions first, thanks in advance!!

4 Replies
McAfee Employee Mreaden
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: DLPe: questions on how to purge DLP evidence

question 1: is the above steps correct?

The steps you mentioned, should allow you to delete evidence. However, 11 Patch 3 and later versions should have below server task that can be used to purge evidence.

The "DLP Purge History of Operational Events and Incidents" server task will Delete events and incidents from the HISTORY database tables and mark evidence files for deletion. If the event or incident are still in the LIVE incidents and operational events list tables this task will delete them from the LIVE tables.

The "DLP purge evidences" will delete evidence files that were marked for deletion. Recommended to run on weekly basis.

question 2: the ePO server task "DLP delete unassociated evidence files" is used to delete evidence generated by early versions of DLPe (11.0.300 and earlier), is it correct?

This is correct.

question 3: if those evidence not required by another incident or operational event in the database, and if i run "DLP purge evidences", the evidence in the pendingDelete folder will be deleted immediately right?

The items in the pendingDelete table will be purged when the DLP Purge Evidence task is ran. By default, it runs weekly, however, you can modify the schedule it to run when you desire.

eg123
Level 9
Report Inappropriate Content
Message 3 of 5

Re: DLPe: questions on how to purge DLP evidence

Hi Eaden,

thanks for your information. i just resolved the dlp extension issue in my lab, and i just started to test how to purge evidence, but seems there still have something goes wrong.

 

i triggered a web post rule with report incident/storage evidence selected in the rule, then send the incident to ePO, the evidence also successfully uploaded to evidence share, then i run the "DLP Purge History of Operational Events and Incidents" to delete this single web post incident, and confirmed the evidence was moved to pendingDelete folder,   ---- at last, i ran the "LP purge evidences" task, but seems the evidence is still in the pendingDelete folder and not deleted. i checked in ePO server task log and the "DLP purge evidences" return no errors, just saying 'total files scaned:1, total files restored:0, total failures:0 '.

any ideas? thanks in advance.

eg123
Level 9
Report Inappropriate Content
Message 4 of 5

Re: DLPe: questions on how to purge DLP evidence

btw, the evidence share is on ePO server. i also tried to put the evidence share on another server and add ePO computer account to the share permission settings, same result.

Moshed
Level 7
Report Inappropriate Content
Message 5 of 5

Re: DLPe: questions on how to purge DLP evidence

Hello,

After having the same issue i found something that might explain the process:

"When you purge incidents with the DLP Purge History of Operational Events and Incidents server task, the related evidence files are marked for deletion. The files are held for two calendar months, and if not required by another incident or operational event in the database, the files are deleted with the DLP purge evidencesserver task. By default, this server task runs weekly."

 

https://docs.mcafee.com/bundle/data-loss-prevention-11.0.500-product-guide/page/GUID-25905EA2-CD17-4...

 

Moshe

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community