ePO Build: ePolicy Orchestrator 5.10.0 (Build 2408)
I have already set up DLP and the storage path on a temp location. I am now trying to change it to a prod location, but will not accept my changes. I already followed the tip on https://community.mcafee.com/t5/Data-Loss-Prevention-DLP/DLP-Evidence-Path/m-p/518459?search-action-... but it's not working for me.
I tried to recreate the new location following the steps shown in https://docs.mcafee.com/bundle/data-loss-prevention-endpoint-11.0.500-installation-guide/page/GUID-6... but it's still not working. All test incidents generated have already been purged and the contents of the previous evidence folder has been deleted as well.
What else am I missing?
Can you be a bit more specific?
There is many scenarios I amcompiling in my head as to what you are experiencing.
Here is what I thinking.
Scenario 1: You create the share - truigger a rule and collect the evidence, but nothing is being created on the new share?
Scenario 2: you can create the share, you GET the evidencebut the next thing you oknow all the evidence and files are gone the next day (or something liek that)
Let me know if I am way off base here.
It is definitely Scenario 1. I created and shared the folder as specified in the instructions, marking it as share$ to make it hidden, whereas the first time i did it, it did not have the $. I can confirm that the shared folder is writable by Everyone as well, including the DLP server.
Now, whenever I type in the new share location in DLP Settings > Storage Share or in Policy Catalog > Windows Client Configuration > Default Windows Client Configuration > Evidence Copy Service > Storage Share, then click Save, it saves the changes. But when I change the page, it reverts back to the old share location and tells me "Changes will not be saved if you continue" even though I did not change it back.
Then I check the new storage location, and it's blank. I was expecting to see the evidence folders in them.
I was finally able to make it work! I just changed the evidence folder share from "share$" to "share". I know the share should still remain hidden but I will revisit that some time, as it is currently functional...
I was too focused on the Storage Path changing values but apparently it was still taking effect as long as I did not save the changed path.