cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

EPO 5.10 On Site & DLP Evidence Logs Via VPN

Hi all,.

As with most companies round the world today, most of our users are now working from home via VPN, we have noticed the evidence events are not been logged but the plug in events are, I have worked through the KB's, and looks like it is caused by the firewall replacing the mac addresses with a blanket one across all connected PC's, I have added the mac address into the vendor ID in epo, but still no evidence data is getting through, internal works fine.

Anybody come across this before, any help appreciated.

Cheers

Gary

 

7 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: EPO 5.10 On Site & DLP Evidence Logs Via VPN

Hi @Gazcallyt ,

Thank you for posting in here.

Could you please help me in understanding the requirement with the help of screenshots and what is not happening (which rule is not working) ?

 

Thank you

Regards,
Jithendran S
McAfee Employee
Highlighted

Re: EPO 5.10 On Site & DLP Evidence Logs Via VPN

Hi,

We have a DLP rule set in place, when somebody copies files to and from a device this is logged by dlp as evidence, when on the local network this works, we can see in the incident logs the actually files that were copied, now, because users are accessing the system remotely, these events / incidents are not been logged by epo, device plug ins are been collected fine, but nothing when files are copied, I have attached screenshots, KB's say it is caused by the VPN in our case a watchguard firewall which replaces the mac address of the remote machine to its own, see screenshot, I have added the vendor ID in as suggested but still no joy.

 

Thanks

Gary

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: EPO 5.10 On Site & DLP Evidence Logs Via VPN

Hi @Gazcallyt ,

I get it, I think you are using the Removable Storage Protection Rule under Data Protection.

When connected over VPN is your client machine able to connect to EPO? If its able to connect to EPO the McAfee Agent on these VPN client machines need to report to EPO.

Do you see the Incidents from the VPM machines in EPO DLP Incident Manager? You wont be able to download the evidence files from these Incidents if the DLP is showing as not connected to corporate Network.

 

Can you check the below,

1) Connect the machine to VPN

2) Copy paste data to your external thumb drive

3) Check if DLP Pop up is seen or not.

4) Open Agent Status Monitor click on send events

5) Open C:\ProgramData\McAfee\Agent\AgentEvents and check if you see any .xml files over here. If there are no .xml files seen over here, check the C:\ProgramData\McAfee\Agent\AgentEvents\Upload for any recently generated .xml files. 

6) If DLP pop screen is seen, there should a event file triggered on the client and it will be sent to EPO from the C:\ProgramData\McAfee\Agent\AgentEvents location. So if Mcafee Agent is not connecting to EPO these event files stay with the client machine itself.

 

Kindly check these and share us your updates.

 

Regards,
Jithendran S
McAfee Employee
Highlighted

Re: EPO 5.10 On Site & DLP Evidence Logs Via VPN

Hi,

It seems no .xml file is created, nor does anything show in the uploads folder, I watched the folders as it was copying, nothing gets created, epo does not show any record of the files transferred either, which it wouldn't, but it did log that I try to copy an executable which is in a different policy, so it seems it is just no liking the Removable Storage Protection rule via a VPN.

But it's a bit strange that no files show in the locations you pointed out.

Thanks

Gary

 

 

Gary

Highlighted

Re: EPO 5.10 On Site & DLP Evidence Logs Via VPN

Just to add, it seems some evidence files are getting through randomly from machines, just not the ones I am testing with, typical.

Gary

 

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 8

Re: EPO 5.10 On Site & DLP Evidence Logs Via VPN

Hi @Gazcallyt ,

Thank you for the info. We would need a remote session to work on this to under the machine state. 

Kindly raise a support case with McAfee Support to check this further.

 

Thank you.

Regards,
Jithendran S
McAfee Employee
Highlighted

Re: EPO 5.10 On Site & DLP Evidence Logs Via VPN

Hi,

I did that, they thought they had resolved it, but they hadn't, hence coming on here.

Cheers for your help, hopefully the next agent might have a clue.

Thanks

Gary

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community