cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Evidence access Denied

Hey all,

I am new to DLP so this is probably a simple fix. When I go into DLP incidents and I click on the incident that I want to review, it shows the Evidence tab. For example, it may show a .xlsx file in Evidence. When I click on that file and try to open it, I get "access to evidence file denied".

Is this because I am logged into EPO mgmt console as a local user and this is a network file? Or what account is used, and which folder needs permissions adjusted?

9 Replies
Highlighted
Level 10
Report Inappropriate Content
Message 2 of 10

Re: Evidence access Denied

It's not due to local or network accounts. Has the permissions on the DLP policy changed? Have you moved the DLP folder recently?

Highlighted
Level 8
Report Inappropriate Content
Message 3 of 10

Re: Evidence access Denied

I have a same problem. ShareFolder has full permission with everyone, and the user can connect to sharefolder without authentication. But It still doesn't have any evidence. 

I think this issue makes Registered document cannot work correctly. 

Folow below link, I tested psexec but the access denied to foldershare. 

https://kc.mcafee.com/corporate/index?page=content&id=KB81399&actp=null&viewlocale=en_US&showDraft=f... 

How can we solve it?

 

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 10

Re: Evidence access Denied

Hi @DucDinh / @zang8027 ,

Kindly check if your evidence share folder permissions is configured as per the steps in the KB below?

https://kb.mcafee.com/corporate/index?page=content&id=KB83365

 

Thank you

Regards,
Jithendran S
McAfee Employee
Highlighted
Level 8
Report Inappropriate Content
Message 5 of 10

Re: Evidence access Denied

I checked the KB. All clients can connect to sharefolder, but it still cannot deploy RegDB to DLP users

C:\ProgramData\McAfee\DLP\Agent\IncrementalData\

I set permission for everyone - full control. 

Do I miss something?

 

2020-07-30_15-30-30.jpg

2020-07-30_15-32-08.jpg

2020-07-30_15-33-32.jpg

 

 

 

 

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 10

Re: Evidence access Denied

Verify that the user that the ePO Application Service (Tomcat.exe) is running as has permissions to the evidence share. Generally tomcat runs as system which would be the ePO server computer object but can be changed so verify the user then verify the permissions to the share.

Also refer KB: https://kc.mcafee.com/corporate/index?page=content&id=KB81399

check the DLP agent connectivity status within DLP endpoint console, it must be online (connected to corporate network) in order to replicate the evidence files. The DLP agent queries the ePO server every 30 seconds to decide its connectivity. FQDN of the ePO server should resolve successfully.


Highlighted
Level 8
Report Inappropriate Content
Message 7 of 10

Re: Evidence access Denied

Dear team,

I find this issue on Window Server 2012 R2, the service network discovery is stuck. 

You can apply to share all, but after the moment it will automatically disable again.

I followed this guide: https://www.youtube.com/watch?v=yQeBP2YyG9E

After that, check the share folder need to same on DLP settings and evidence storage (DLP policy - window configuration)

 

Thank you.

 

Highlighted

Re: Evidence access Denied

Today things are working randomly. I was able to download the files. Here is how I am setup if it helps anyone:

  • E:\Evidence is shared as \\Server\Evidence$\ 
    • SHARE - SVC account is set to Change
    • SHARE - Everyone set to Read
    • NTFS - PC object set to Modify
    • NTFS - SVC account set to Modify
    • NTFS - Domain Admins set to Modify
  • DLP Settings > Shared storage  > Set to connect with svc account and password.  Also set that "shared password" below to service account password although I dont know what that does?

 

 

 

 

 

 

Highlighted
Level 10
Report Inappropriate Content
Message 9 of 10

Re: Evidence access Denied

is is possible that you're purging older evidence files, but keeping the events?

Highlighted

Re: Evidence access Denied

I am new to DLP so where would that setting be?  In the policy?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community