As with most companies round the world today, most of our users are now working from home via VPN, we have noticed the evidence events are not been logged but the plug in events are, I have worked through the KB's, and looks like it is caused by the firewall replacing the mac addresses with a blanket one across all connected PC's, I have added the mac address into the vendor ID in epo, but still no evidence data is getting through, internal works fine.
Anybody come across this before, any help appreciated.
Hi @Gazcallyt ,
Thank you for posting in here.
Could you please help me in understanding the requirement with the help of screenshots and what is not happening (which rule is not working) ?
We have a DLP rule set in place, when somebody copies files to and from a device this is logged by dlp as evidence, when on the local network this works, we can see in the incident logs the actually files that were copied, now, because users are accessing the system remotely, these events / incidents are not been logged by epo, device plug ins are been collected fine, but nothing when files are copied, I have attached screenshots, KB's say it is caused by the VPN in our case a watchguard firewall which replaces the mac address of the remote machine to its own, see screenshot, I have added the vendor ID in as suggested but still no joy.
Hi @Gazcallyt ,
I get it, I think you are using the Removable Storage Protection Rule under Data Protection.
When connected over VPN is your client machine able to connect to EPO? If its able to connect to EPO the McAfee Agent on these VPN client machines need to report to EPO.
Do you see the Incidents from the VPM machines in EPO DLP Incident Manager? You wont be able to download the evidence files from these Incidents if the DLP is showing as not connected to corporate Network.
Can you check the below,
1) Connect the machine to VPN
2) Copy paste data to your external thumb drive
3) Check if DLP Pop up is seen or not.
4) Open Agent Status Monitor click on send events
5) Open C:\ProgramData\McAfee\Agent\AgentEvents and check if you see any .xml files over here. If there are no .xml files seen over here, check the C:\ProgramData\McAfee\Agent\AgentEvents\Upload for any recently generated .xml files.
6) If DLP pop screen is seen, there should a event file triggered on the client and it will be sent to EPO from the C:\ProgramData\McAfee\Agent\AgentEvents location. So if Mcafee Agent is not connecting to EPO these event files stay with the client machine itself.
Kindly check these and share us your updates.
It seems no .xml file is created, nor does anything show in the uploads folder, I watched the folders as it was copying, nothing gets created, epo does not show any record of the files transferred either, which it wouldn't, but it did log that I try to copy an executable which is in a different policy, so it seems it is just no liking the Removable Storage Protection rule via a VPN.
But it's a bit strange that no files show in the locations you pointed out.
Hi @Gazcallyt ,
Thank you for the info. We would need a remote session to work on this to under the machine state.
Kindly raise a support case with McAfee Support to check this further.