Is there any way we can create a rule/check to monitor/capture evidence incoming files that are copied by a user/group from a removable device to the PC.
This rule helps in determining who is bringing non business related data to the organisation.
There is a capability when you tag data from a shared location/web application and DLP agent can trigger a reaction rule when user tries to copy the same to endpoint. I don't really think there is an option to monitor everything what else is copied from removable drives to end-point (you can create a rule to monitor all the files copied from end-point to the removable device though). The DLP is designed to monitor classified (sensitive data) that you might loose from your end-point.
Strongly recommend reading this blog
and then watching the YouTube videos, they are very informative (Hint: keepvid.com)
McAfee has a huge library on YouTube which apparently they dont bother to tell customers about.
I think video 3 covers how to track file copying......we are testing it here.
Its a protection rule, I believe. The videos are pretty good at explaining stuff that is VERY POORLY covered in the DLP manual.
Let me know if you get it figured out b/c we are on the verge of this ourselves.