since McAfee's support hotline responses unfortunately take a long time (sometimes months, sometimes never), maybe someone of you may help.
I have the following situation: The McAfee DLP Endpoint Service crashes right after it starts (~10 sec. delay).
What I see is this:
What I did:
- Deinstallation und reinstallation
- Disabling of security software on the client (virusscan/firewall etc.)
- Client restarts
- Different DLP version (before I tried the older 10.x and 9.4)
Do you guys have any suggestions, what to prove/what may be the issue?
I have seen this happen with compatibility issues with other products - not that we can necessarily rule that out without seeing what else is installed on these systems. Typically they are other security products which you have already disabled. I have also seen this happen with corrupt policies. Has this ever functioned normally? Is this specific to a single system, multiple systems, or all systems in your environment? To rule out a corrupt policy duplicate the McAfee default policies (DLP policy as well as Client configuration policy) and assign to one of these systems. If you continue to see the issue it could be a portion of your global config is corrupt in which case you may need to import a new config. We can circle back to that assuming the policy changes do not resolve your issue.
Sorry for the late feedback - I was on vacations.
DLP 9.3/9.4 worked before on this and other clients.
The allready installed security products have been in use before.
I can not exactly tell, since when, the problem started.
I will try to create new policies and apply them. Afterwards I will post the results.
It works ... a little bit.
The hint regarding a corrupted policy was good.
It was a part of a policy-definition. I had a userdefined policy-definition which was exactly the same as the "All Apple devices [built-in]" policy-definition.
I deleted it and used the predefined one and the HDLP status is fine now.
But sadly: My "source error" came back again - blocking of iDevices is still not possible with DLP 10.x.
Incident-Manager says: It was blocked, but I still can access the photos folder on the iPhone.
Any hints regarding this?
Did anyone of you blocked iDevices successfuly with DLP 10.x
Is this device specific? i.e. does it work correctly with an iPhone 5 vs an iPhone 6? What version of DLP 10 are you running? There is DLP 10 and DLP 10 patch 1 (10.0.100.372). I just tested the following scenario and it blocked access to the storage correctly:
Default Apple devices definition
thanks you for your response.
Regarding your questions:
- Device specific: No (iPhone 6+7)
- DLP extension Version: 10.0.100.7 (newest one since today)
- DLP client-side version: 10.0.100.372
- OS: Win10 Enterprise
- Definition: Same as you use (default apple device definition)
So because most people can't "voodoo", I attach some screenshots.
Maybe you'll see something I'm missing.
Thanks in advance!
I don't necessarily see a problem with your configuration. If the rule is set to block and it is not blocking the storage volume from being mounted that sounds more like something that would need to be investigated by support (i.e. driver conflicts with other products on your image, driver installation issues, etc.). I would recommend opening a case if you are still having an issue with blocking these devices.