cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Wrong User Flagged in DLP Block event

Jump to solution

In one of my dashboards i have 90% of my DLP Agents stating that "Agent is not running - User is logged off." Does the user need to be logged in for DLP to take action on the rules/policies applied?  Before you answer, please read why i am asking this.  I had an incident recently where a user plugged in an iPhone, which is unauthorized in our network and set to block.  The user wasn't logged in and never did log in because he only did this to charge his phone.  We didn't received an event that day. Now the next day, a different person logged on to the computer and that's when we received the event that the iphone was blocked.  The event time was also during the time the user logged in, not when the phone was actually plugged in.  Unfortunately, we ended up targeting the wrong user because of this until the actual person who plugged the phone in came forward.  Can someone shine the light on me as to why this may have happened? Does the user need to be logged in for DLP to report and/or take action on the rules/policies applied?  As an added detail, in my DLP dashboard i have about 90% of my agents stating "Agent is not running - User is logged off."  Any help will be appreciated.

Message was edited by: omar_tx on 3/19/14 10:41:45 AM CDT
1 Solution

Accepted Solutions

Re: Wrong User Flagged in DLP Block event

Jump to solution

What you're reporting has always been my experience with DLP.  Thankfully none of our end users have figured that out.  I was caught off guard once when we went to confront someone who allegedly plugged in an Android phone and they pointed out that they own an iPhone..  Thankfully we have a limited number of shared workspaces, but we're more cautious when inquiring about a device plug-in now that we understand that the event gets tied to the logged in user at the time the agent reports back to ePO.

View solution in original post

3 Replies
Highlighted

Re: Wrong User Flagged in DLP Block event

Jump to solution

The DLPe Agent is active only when a user is logged on to the computer.

Ensure that the DLP MA Properties Reporting Server Task is running properly. This task affects the Agent Status Query/Dashboard Monitor.

Message was edited by: vimalnavis on 3/26/14 6:42:43 PM CDT
Highlighted

Re: Wrong User Flagged in DLP Block event

Jump to solution

vimalnavis, i checked to make sure and yes we do have the DLP MA Properties Reporting Server Task running.  trevorw2000, i guess this is something we just have to deal with.  Thank you both for your responses.. 

Re: Wrong User Flagged in DLP Block event

Jump to solution

What you're reporting has always been my experience with DLP.  Thankfully none of our end users have figured that out.  I was caught off guard once when we went to confront someone who allegedly plugged in an Android phone and they pointed out that they own an iPhone..  Thankfully we have a limited number of shared workspaces, but we're more cautious when inquiring about a device plug-in now that we understand that the event gets tied to the logged in user at the time the agent reports back to ePO.

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community