We are using DLp 9.3 with EPO 4.6 on Win2008R2 Server.
The problem i have is that DLP shows for detected files via the "Removable storage protection rules" just the source file path in the DLP logs.
The "Removable storage protection rule" is configured to store this files in the evidence folder but it just show the path to the source there and if a user already deleted the file in the source we can not observe what was in the file.
The same is working quite well for the "Printing protection rule" there the DLP shows and stores the file in the evidence folder and it is possible to look to the file via the DLP monitor logs.
I checked both rules to find a difference but there are the same with the option "store evidence Online/Offline" does somebody has any idea what could be the reason or is it a common bug with DLP 9.3?
On page 161 of the McAfee Data Loss Prevention Endpoint 9.3.0 Guide is stated that DLP should make a copy of the file for "Removable storage protection rules"
Confirmation is usually stored in the correct Evidence folder. Check the settings of the Evidence folder on the server (Figure) and the rights of the account (user/password):
I have had a few cases where a large file is not written to the Evidence folder, but this is an exception.
Hallo palex thanks for reply,
at the moment i used the option "copy evidence unsing NETWORK SERVICE or logged on user" but i will change it to the option you recommend and test it.
I thinks large files are not the issue because the files i observed are really just some MB or even KB.
Is there some explanation why it works with the option "copy evidence unsing NETWORK SERVICE or logged on user" for the "Printing protection rule"?
That it works for the "Printing protection rule" shows me that if this options is working to put and write files to the evidence folder.
so i will go for testing and let you know if it works now 🙂
Oki i test it but dont want to work i tried with domain\administrator or email@example.com but can see the path of the file even where it is stored in which folder on the evidence store but than i get the message "Evidence File is Not Available"
When I started testing DLP, I had the same error. Console epo very bad working with the latest version of IE and FF.
The problem was solved when I climbed into the IE settings and removed all locks for the IP-address of the server that is hosting the epo.
What we need to do the settings, I have never found a set to allow for all plugins, scripts, windows and so on to the server, where it is established epo.
One of the members of this forum wrote that he had conflicts between epo 4.6 and DLPE 9.3. Therefore I recommend to upgrade epo 4.6 to 5.1.1.
Hallo, thanks for the Answers,
but to change to a differnt version of EPO is not possible for me this is not approved for our company so i have to work with the EPO 4.6.
Yesterday i also tried this: McAfee KnowledgeBase - Evidence File is Not Available (when attempting to view evidence after upgrad... but did not helped.
my next try is this:
but i need allowance from to recreate the evidence folder because i could not find a possibility to export the old logs and data to any file where somebody is still possible to follow the old incidents.