cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
adpspt
Level 9
Report Inappropriate Content
Message 1 of 8

Mcafee DLP dont copy file to evidence just show path of the file for Removable storage protection rule

Hallo,

We are using DLp 9.3 with EPO 4.6 on Win2008R2 Server.

The problem i have is that DLP shows for detected files via the "Removable storage protection rules" just the source file path in the DLP logs.

The "Removable storage protection rule" is configured to store this files in the evidence folder but it just show the path to the source there and if a user already deleted the file in the source we can not observe what was in the file.

The same is working quite well for the "Printing protection rule" there the DLP shows and stores the file in the evidence folder and it is possible to look to the file via the DLP monitor logs.

I checked both rules to find a difference but there are the same with the option "store evidence Online/Offline" does somebody has any idea what could be the reason or is it a common bug with DLP 9.3?

On page 161 of the McAfee Data Loss Prevention Endpoint 9.3.0 Guide is stated that DLP should make a copy of the file for "Removable storage protection rules"

best regards

ADPSPT

7 Replies
palex
Level 11
Report Inappropriate Content
Message 2 of 8

Re: Mcafee DLP dont copy file to evidence just show path of the file for Removable storage protection rule

Hi, adpspt!

Confirmation is usually stored in the correct Evidence folder. Check the settings of the Evidence folder on the server (Figure) and the rights of the account (user/password):
001.png
I have had a few cases where a large file is not written to the Evidence folder, but this is an exception.


Regards.

adpspt
Level 9
Report Inappropriate Content
Message 3 of 8

Re: Mcafee DLP dont copy file to evidence just show path of the file for Removable storage protection rule

Hallo palex thanks for reply,

at the moment i used the option "copy evidence unsing NETWORK SERVICE or logged on user" but i will change it to the option you recommend and test it.

I thinks large files are not the issue because the files i observed are really just some MB or even KB.

Is there some explanation why it works with the option "copy evidence unsing NETWORK SERVICE or logged on user" for the "Printing protection rule"?

That it works for the "Printing protection rule" shows me that if this options is working to put and write files to the evidence folder.

so i will go for testing and let you know if it works now 🙂

adpspt
Level 9
Report Inappropriate Content
Message 4 of 8

Re: Mcafee DLP dont copy file to evidence just show path of the file for Removable storage protection rule

Oki i test it but dont want to work i tried with domain\administrator or administrator@domain.com but can see the path of the file even where it is stored in which folder on the evidence store but than i get the message "Evidence File is Not Available"

palex
Level 11
Report Inappropriate Content
Message 5 of 8

Re: Mcafee DLP dont copy file to evidence just show path of the file for Removable storage protection rule

Hi, adpspt!

When I started testing DLP, I had the same error. Console epo very bad working with the latest version of IE and FF.

The problem was solved when I climbed into the IE settings and removed all locks for the IP-address of the server that is hosting the epo.

What we need to do the settings, I have never found a set to allow for all plugins, scripts, windows and so on to the server, where it is established epo.


One of the members of this forum wrote that he had conflicts between epo 4.6 and DLPE 9.3. Therefore I recommend to upgrade epo 4.6 to 5.1.1.


Regards.

Re: Mcafee DLP dont copy file to evidence just show path of the file for Removable storage protection rule

Hi, Palex.

I had the same problem with 4.6. But, I did the upgrade to epo 5.1 and the problem continues.

Regards.

adpspt
Level 9
Report Inappropriate Content
Message 7 of 8

Re: Mcafee DLP dont copy file to evidence just show path of the file for Removable storage protection rule

Hallo, thanks for the Answers,

but to change to a differnt version of EPO is not possible for me this is not approved for our company so i have to work with the EPO 4.6.

Yesterday i also tried this: McAfee KnowledgeBase - Evidence File is Not Available (when attempting to view evidence after upgrad...  but did not helped.

my next try is this:

but i need allowance from to recreate the evidence folder because i could not find a possibility to export the old logs and data to any file where somebody is still possible to follow the old incidents.

best regards

ADPSPT

palex
Level 11
Report Inappropriate Content
Message 8 of 8

Re: Mcafee DLP dont copy file to evidence just show path of the file for Removable storage protection rule

Hi, adpspt!

See Release Notes to you version of DLPE 9.3:

Patch 4;

Patch 3;

Patch 2;

Patch 1.

Part "Compatible McAfee managed products".

Make sure your software is compatible with each other.


Regards.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community