cancel
Showing results for 
Search instead for 
Did you mean: 
MSPlus
Level 7
Report Inappropriate Content
Message 1 of 5

Evidence Storage and Evidence Copy Service accounts

Hello, can I use same User account for evidence storage and evidence copy service?

4 Replies
Highlighted
McAfee Employee LKS
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Evidence Storage and Evidence Copy Service accounts

Hi MSPlus,

This is a DLP related question which can be answered by them. I will move this post to DLP forum for more visibility.

Was my reply helpful?

If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a Solution" if this reply resolves your query!

McAfee Employee Mreaden
McAfee Employee
Report Inappropriate Content
Message 3 of 5

Re: Evidence Storage and Evidence Copy Service accounts

MSPlus,

You can use a user account for evidence storage and evidence copy service, as long as the account has the proper permissions. See below excerpt from DLP 11.3 Installation Guide. 

Create and configure evidence folders

Evidence is a copy of the file or email that triggers a security event. Create evidence storage folders and configure them with the required properties and security settings to make evidence available to the DLP Incident Manager.

Enabling evidence storage is the default condition for McAfee DLP Endpoint. Creating an evidence storage folder and specifying the UNC path to the folder are requirements for applying a policy to McAfee ePO. The folder does not need to be on the same computer as the McAfee DLP Database server, but it is usually convenient to put it there. When more than one McAfee DLP product is installed in McAfee ePO the UNC paths for the evidence folders are synchronized.

Task

  1. Create the evidence folder.
    We suggest the following folder paths, and folder names, and share names but you can create others as appropriate for your environment.
    • c:\dlp_resources\
    • c:\dlp_resources\evidence
    NOTE: The evidence storage path must be a network share, that is, it must include the server name.
  2. In Windows Explorer, right-click the evidence folder and select Properties.
  3. Click the Sharing tab, then click Advanced sharing. Select the Share this folder option.
    1. Change the Share name to evidence$. Click OK.
      The $ ensures that the share is hidden.
    2. Click Permissions and select Full Control for Everyone. Click OK twice.
  4. Click the Security tab, then click Advanced.
    1. On the Permissions tab, click Change Permissions then deselect the Include inheritable permissions from the object's parent option.
      A confirmation message explains the effect this change will have on the folder.
    2. Click Remove.
      The Permissions tab in the Advanced Security Settings window shows all permissions eliminated.
    3. Click Add to select an object type.
    4. In the Enter the object name to select field, type Domain Computers, then click OK.
      The Permission Entry dialog box appears.
    5. In the Allow column, select Create Files/Write Data and Create Folders/Append Data. Verify that the Apply onto option says This folder, subfolders and files, then click OK.
      The Advanced Security Settings window now includes Domain Computers.
    6. Click Add again to select an object type.
    7. In the Enter the object name to select field, type Administrators, then click OK.
      The Permission Entry dialog box appears.
    8. Set the required permissions.
      Adding administrators is optional, but can be added as a security precaution. Alternately, you can add permissions only for those administrators who deploy policies.
  5. Click OK twice.
Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
MSPlus
Level 7
Report Inappropriate Content
Message 4 of 5

Re: Evidence Storage and Evidence Copy Service accounts

Thanks for response, If I change evidence copy service account will this stall the incidents? or can it cause any trouble with working incidents?  

McAfee Employee sbalamur
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: Evidence Storage and Evidence Copy Service accounts

@MSPlus No the evidence will wait in repbuf if there is any change in service accounts as soon as the policy is enforced after the change evidence will start to move files from endpoint to Evidence share.

Also there wont be any impact on the incidents already moved or during motion.
Was my reply helpful?If you find this post useful, Please give it a Kudos!

Please don't forget to select "Accept as a solution" in my reply and together we can help other members?

Regards
Subramanian B
McAfee Employee
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community