cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Default Evidence Storage

ePO Build: ePolicy Orchestrator 5.10.0 (Build 2408)

DLP 11.0.600.72

 

I have already set up DLP and the storage path on a temp location. I am now trying to change it to a prod location, but will not accept my changes. I already followed the tip on https://community.mcafee.com/t5/Data-Loss-Prevention-DLP/DLP-Evidence-Path/m-p/518459?search-action-... but it's not working for me.

I tried to recreate the new location following the steps shown in https://docs.mcafee.com/bundle/data-loss-prevention-endpoint-11.0.500-installation-guide/page/GUID-6... but it's still not working. All test incidents generated have already been purged and the contents of the previous evidence folder has been deleted as well.

What else am I missing?

TIA,

Jomar

Labels (1)
5 Replies
McAfee Employee Mike_D
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Default Evidence Storage

Can you be a bit more specific?

There is many scenarios I amcompiling in my head as to what you are experiencing. 

Here is what I thinking. 

Scenario 1: You create the share - truigger a rule and collect the evidence, but nothing is being created on the new share?

Scenario 2:  you can create the share, you GET the evidencebut the next thing you oknow all the evidence and files are gone the next day (or something liek that) 

 

Let me know if I am way off base here.

 

-Mike 

Re: Default Evidence Storage

Hi Mike_D,

It is definitely Scenario 1. I created and shared the folder as specified in the instructions, marking it as share$ to make it hidden, whereas the first time i did it, it did not have the $. I can confirm that the shared folder is writable by Everyone as well, including the DLP server.

Now, whenever I type in the new share location in DLP Settings > Storage Share or in Policy Catalog > Windows Client Configuration > Default Windows Client Configuration > Evidence Copy Service > Storage Share, then click Save, it saves the changes. But when I change the page, it reverts back to the old share location and tells me "Changes will not be saved if you continue" even though I did not change it back.

Then I check the new storage location, and it's blank. I was expecting to see the evidence folders in them.

McAfee Employee Mike_D
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: Default Evidence Storage

So - few questions:
1. do you have full access to EPO? Or are you under a permission set?
2. Are you saving it under Copy evidence using local system account ?
OR Copy evidence using the following credentials?

Re: Default Evidence Storage

I was finally able to make it work! I just changed the evidence folder share from "share$" to "share". I know the share should still remain hidden but I will revisit that some time, as it is currently functional...

I was too focused on the Storage Path changing values but apparently it was still taking effect as long as I did not save the changed path.

 

McAfee Employee Mike_D
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Default Evidence Storage

Screen shot would help.
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community