cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

endpoint discovery scans

Hello,

i want to make a rule for discovery scans on local file system and email, but it takes a long time even when classification is configured, can anyone tell me why it takes a long time thousands of hours. and how to configure it correctly?

5 Replies
Corey-DLP
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: endpoint discovery scans

Hello,

There are multiple variables that could potentially cause this. However, since you mentioned both file system and email discovery scans, the first thing that comes to mind is what the CPU and RAM utilization looks like on the system as you're running the scans. Does the overall CPU or RAM utilization exceed 50%? If so, what could be occurring is the scans are pausing until utilization is lower, thus prolonging the amount of time the scan takes to complete. If you find that this is the case, this threshold can be modified from the default 50%. The settings to pause endpoint scans based on CPU/RAM utilization are in the Windows Client Configuration policy > Discovery (Endpoint). 

Re: endpoint discovery scans

is it normal?

Corey-DLP
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: endpoint discovery scans

Hello,

If you have the default values of 50% as seen in the attached screenshot, then that looks like that would be expected behavior. The settings to suspend the scans based on CPU and Memory utilization are based on overall utilization and not just DLP processes. Your screenshot shows both CPU and RAM utilization over 50% and thus the endpoint scan is paused. The scan would resume once the overall utilization for CPU and RAM are below 50%. These values can be changed in the policy if needed.

Additionally, it would be recommended to schedule DLP discovery tasks at times when other tasks that are resource intensive are not running. For example, running a DLP Discovery scan at the same time as an AV scan should be avoided as both running together could consume a large amount of resources.

Re: endpoint discovery scans

hi, can i make anything if once scan process passed and discovered information on the second scan i do not want to get same information. i want to get new information. is there anyway to fix this?
Corey-DLP
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: endpoint discovery scans

DLP Endpoint Discovery scans to perform some caching. That is, if a file has already been scanned, it should not be scanned again unless something changes with the file. This may not necessarily be a content change, but could be a change in file properties such as the last modified or last accessed time stamp.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community