1 Reply Latest reply on Apr 24, 2017 3:53 PM by chrisnlc

    DLP Client Configuration Policy (Operational Mode and Modules)

    tassha

      Hello,

       

      So I have one for you guys and I have to be honest, I don't actually blame DLP.

       

      We recently had issues where it would take up to 30 seconds for Microsoft Products to open.  Apparently some troubleshooting was done (not by me) and it was determined that our DLP 10 policy had too many of the items checked in the referenced policy. They say they unchecked stuff we don't use and that fixed it. Office opened at normal speed.

       

      Later I found out they also disabled some other Office Add-Ons not related at all to McAfee. They still feel pretty confident DLP was causing the slow, I'm not so sure.


      I haven't played around with this policy at all (policies existed before I came on board) but I just don't think this does it. Any and all information about this particular policy, even if it isn't related to this specific question but is good to know in general, is appreciated.

        • 1. Re: DLP Client Configuration Policy (Operational Mode and Modules)
          chrisnlc

          That's really tricky to answer without the policy backup file to inspect as well but historically the type of slowdown you describe can also be attributed to having large amounts of classification type rules in the policy.

          Switching off items in the Client Config may help indirectly if they cause the classification not to be applied or not used on files touched by the OS and applications. It's just one scenario of many.

           

          Logs are your friend in these cases, as is the DLP Diagnostic Tool and ProcMon. When a slowdown occurs reproduce with the Diagnostic Tool open and examine the Processes tab and if using tags look at the Data Flow tab. This will give you a feel for the amount of work DLPe is doing.

          If that does not tell you anything sensible then repro with ProcMon running. Filter on the FCAG and FCAGTE processes and see if they are accessing huge amounts of Office files (you can see if they are reading by looking at the details column and checking for an increasing 'offset').

           

          More thorough investigation can be done by McAfee support with the aid of an Agent Dump generated from the Diag Tool.

           

          HTH

           

          _Chris.