Hi, recently I'm testing HDLP's evidence function,
and I found out that, when I use an client which is not in ANY domain,
the evidence in that computer will never be write to the evidence Repository,
but those computers which in in ANY domain will, even if they are not in the same domain as the Evidence Repository is.
my evidence Repository is on a server called EVIDENCE_SERVER (Win Server 2003)
there's a share folder to storage the evidence files: \\EVIDENCE_SERVER\evidence$
permission is set for everyone(for testing purpose)
and this server is in the domain MCAFEETEST.com
On my ePO server, in the DLP policies ---> Agent global settings, evidence tab,
I choose "Copy evidence using this user account"
and enter the administor account and password of EVIDENCE_SERVER
then I tested it with two client,
one is in another domain: TEST123.com,
it can still write its evidence to \\EVIDENCE_SERVER\evidence$
but the other client which does not belong to any domain just can't write it back.
why does this happen?
If I join the second client to any domain, those evidences will write to the repository .
Thanks for your help!!
Can I ask you if your client has created an evidence, what "connection state" do you see in DLP Monitor tab? (online\offline)?
In situation when client does not belong to any domain.
There are 2 options: the policy isn`t configured to replicate evidence in offline mode, or the machine doesn`t have permission to write to that share. The machine may have everyone- full control on the share, but there are also NTFS permissions at play. Check out the Effective permission for anonymous user and make sure it has only wirte perms. You can also try to access by hand the share from the workgroup machine and see if it works without providing credentials.
Also, as of 9.1 you ca provide credentials in order to authenticate to shares for evidence replication. Try that out too.
This situation is not because the policy is not configured to replicate evidence in offline mode, or the machine doesn`t have permission to write to that share. This is beacuse agent can not correctly determine online\offline state when OS joind or not joind to domain.
When hdlp agent is thinking that his state in offline mode his not starting to move evidence from PC to evidence folders.
Main question to McAfee guys is how exactly dlp agent determined his state (online\offline) ?
I agree with your viewpoint.When a clinet in workgroup,it didn't upload evidence to evidence folders,changed it to domain,uploaded seccuessfully.
KB describe agent status is that agent is workgroup mode or domain mode....
I am having the precise same problem. Client machine DEFINITELY has full access to the evidence share (tested using explorer to UNC path) and the credentials I have used in the agent settings are definitely correct (have typed in 10 times now to make sure).
The problem is certainly because the machine is not on the domain and therefore 'offline'.
I would love to know how to fix this as many of our laptops will not be on the domain