I have a same problem. ShareFolder has full permission with everyone, and the user can connect to sharefolder without authentication. But It still doesn't have any evidence. 

I think this issue makes Registered document cannot work correctly. 

Folow below link, I tested psexec but the access denied to foldershare. 

https://kc.mcafee.com/corporate/index?page=content&id=KB81399&actp=null&viewlocale=en_US&showDraft=f... 

How can we solve it?

Hi @DucDinh / @zang8027 ,

Kindly check if your evidence share folder permissions is configured as per the steps in the KB below?

https://kb.mcafee.com/corporate/index?page=content&id=KB83365

Thank you

I checked the KB. All clients can connect to sharefolder, but it still cannot deploy RegDB to DLP users

C:\ProgramData\McAfee\DLP\Agent\IncrementalData\

I set permission for everyone - full control. 

Do I miss something?

Verify that the user that the ePO Application Service (Tomcat.exe) is running as has permissions to the evidence share. Generally tomcat runs as system which would be the ePO server computer object but can be changed so verify the user then verify the permissions to the share.

Also refer KB: https://kc.mcafee.com/corporate/index?page=content&id=KB81399

check the DLP agent connectivity status within DLP endpoint console, it must be online (connected to corporate network) in order to replicate the evidence files. The DLP agent queries the ePO server every 30 seconds to decide its connectivity. FQDN of the ePO server should resolve successfully.

Dear team,

I find this issue on Window Server 2012 R2, the service network discovery is stuck. 

You can apply to share all, but after the moment it will automatically disable again.

I followed this guide: https://www.youtube.com/watch?v=yQeBP2YyG9E

After that, check the share folder need to same on DLP settings and evidence storage (DLP policy - window configuration)

Thank you.

Today things are working randomly. I was able to download the files. Here is how I am setup if it helps anyone:

• E:\Evidence is shared as \\Server\Evidence$\ 
  
  • SHARE - SVC account is set to Change
  • SHARE - Everyone set to Read
  • NTFS - PC object set to Modify
  • NTFS - SVC account set to Modify
  • NTFS - Domain Admins set to Modify
• DLP Settings > Shared storage  > Set to connect with svc account and password.  Also set that "shared password" below to service account password although I dont know what that does?

is is possible that you're purging older evidence files, but keeping the events?

I am new to DLP so where would that setting be?  In the policy?