I have seen a strange issue during DLP endpoint upgrade from 9.3.100 to 9.3.300. In fact everyone goes fine except because of the fact that computers won't report any DLP event until they have been rebooting.
- before upgrading I trigger any email rule from the endpoint and then force sending events through McAfee Agent -> OK
- after upgrading (and not yet rebooted) I trigger any email rule from the endpoint and then force sending events through McAfee Agent -> No events are sent
- after upgrading and rebooting I trigger any email rule from the endpoint and then force sending events through McAfee Agent -> OK but all events between upgradind and rebooting computers don't appear anywhere.
Is this a normal behaviour or am I missing something?
Thanks for the answer ,I know that a reboot is sometimes needed after installing or upgrading a McAfee product but the problem is that we cannot force a reboot after upgrading and we are loosing all DLP events until coputers have rebooted. If DLP agent stored events and after rebooting sent them to ePO it would be almost fine but these events have been lost forever and there will always be a gap between upgrade and reboot.
Anyway, if this is as designed there's nothing more that can be done, that's for sure.
Just another question: as we are only logging activity and evidences (not blocking at this moment so we cannot check wether the rules are applying or not)) would the DLP policies apply to computers between upgrading and rebooting the computers?
DLPe policy is enforced only after the computer is rebooted, a user logs in and the McAfee Agent receive a policy from ePO.
Which is one of many reasons why a mandatory reboot is very important.