Is there a way for the evidence files to be purged automatically after 2 months? I have tasks to clearl the incident log and database after an events reaches 2 months in age, But our evidence folder just continues to grow. And there is no easy way to figure out which ones are evidence from wihtin 2 months.
There is not a way to automate this using ePO/DLPe currently. You will need to create a script that triggers on Date Modified that is more than 2 months old.
The script can be run on the server hosting the Evidence Share using Scheduled Tasks (if it is a Windows Server).
Do you have any scripts or batch files preconfigured for this? Currently our evidence container is filling up so fast that its causing serious disruptions to the console and other aspects.
I do not. You should be able to use Windows Powershell or something similar to create one.
Or you could work with someone who knows scripting in your company.
Evidence filling up, have you tried to understand why? Are they false positives or valid matches?
They are valid matches. And even with the device agent police set to only store up to 75% of free space, it continueally fills up the entire drive.
The setting you are referring to applies to the Evidence buffer (used if Evidence Share is not reachable) on the local machine.
That setting does not affect the Evidence Share in any way.
If those are all valid matches, based on your company's Data Retention Policy, you will need to plan for additional storage.
If you have not already done it, ensure that you plan for future Evidence growth and setup Evidence share in a scalable solution like SAN.