1 2 Previous Next 11 Replies Latest reply on May 13, 2011 1:34 AM by complexxl9

    Upgrading DLP 3.0 to DLP 9.0

      DLP 9.0 has just been launched (DLP 3.1 reversioned to 9.0 to bring the Host DLP and Network DLP versions into alignment) and I am trying to make sense of the upgrade guide within the documentation.

       

      What is not clear is if the WCF installation (currently version 3.0 installed on my ePO 4.5 p1 server) needs to be upgraded to version 9.0. This is missed from the installation guide.

       

      Any help would be appreciated.

       

      Tom

        • 1. Re: Upgrading DLP 3.0 to DLP 9.0

          Following on from this:

           

               I have now removed the old WCF service and updated it the the new WCF 9.0 service. This seemed to work ok and I have continued through the upgrade using the Product Installation Guide.

           

          I have now run in to an issue with the DLP Monitor namely the lack of missing filename detail that was present in version DLP 3.0.

           

          I have a Removable Storage Protection Rule which is set to monitor all file transfers to removable storage.

           

          DLP 3.0 monitors these file transfers and then lists these in DLP monitor. The filenames of the transferred files are displayed under the details of each record as Evidence

          DLP 9.0 does not list the filename detail of transferred files under the details of each record.

           

          I have included 2 pictures to show the difference.

           

          Has this feature being removed? or has something gone wrong in the upgrade?

           

          Thanks,

          Tom

           

           

          Message was edited by: tjm397 on 09/02/10 11:09:37 CST
          • 2. Re: Upgrading DLP 3.0 to DLP 9.0

            Looks like a bad upgrade.

             

            The evidence feature was changed slightly but it should still be there like it is in 3.0.

            In 9.0 you can have the evidence redacted so only authorized ePO users can see it.

            When the data is redacted it shows the evidence file data as a string of numbers but it's still there.

             

            One other possibility is that there was no evidence for that event.  In 3.0 even if no evidence was collected a link was displayed.  The link was broken but it was there.

            In 9.0 if there is no evidence, there's no link.  It possible that no evidence was collected.

            • 3. Re: Upgrading DLP 3.0 to DLP 9.0

              "One other possibility is that there was no evidence for that event.  In 3.0 even if no evidence was collected a link was displayed.  The link was broken but it was there.

              In 9.0 if there is no evidence, there's no link.  It possible that no evidence was collected."

               

              I think your last point my be correct which is a shame.

               

              Our Policy is only to monitor the event, not collect evidence as we just want to see the files that are being transferred, not waste WAN bandwidth on getting them into the evidence folder.

               

              Through this monitoring rule in 3.0 we were able to spot movie rips being copied off a company pc and onto USB drives. The user was given a warning but we had no need for the files to be copied to the evidence folder

               

              I would like to ask for this feature to be re-implemented in 9.1 as it is incredably useful.

               

              Without it, the product losses major points for being able to see what is going onto USB devices, unless anyone knows of another way to do this?

              • 4. Re: Upgrading DLP 3.0 to DLP 9.0

                I have now managed to get round this by enabling just Hit-Highlighting in my agent configuration and setting my protection rule to "Store Evidence" aswell as "monitor".

                 

                This way, all files that are transfered to USB are getting classed as evidence and I am able to see there filenames now in the DLP monitor.

                 

                This really needs changing back so that "monitor" level protection rules include this detail.

                 

                What is the point of a monitor rule without this filename detail?

                • 5. Re: Upgrading DLP 3.0 to DLP 9.0
                  smalldog

                  I have upgrade to DLP 9.0 successfull but just remove DLP Management Tool. Not remove WCF. So may i need remove old WCF and install new WCF in new package dlp 9.0? Thanks for advance!

                  • 6. Re: Upgrading DLP 3.0 to DLP 9.0
                    smalldog

                    Answered: when you don't remove old WCF, you cannot apply policy on DLP 9.0. So you must remove DLP Management Tool and WCF Service before upgrade to new DLP 9.0

                    • 7. Re: Upgrading DLP 3.0 to DLP 9.0
                      s3cardi

                      We have the same problem. Since our HDLP has been upgrade to release 9.0, DLP monitor doesn't display anynore informations about the file(s) responsible for the event.

                      • 8. Re: Upgrading DLP 3.0 to DLP 9.0

                        "We have the same problem. Since our HDLP has been upgrade to release 9.0, DLP monitor doesn't display anynore informations about the file(s) responsible for the event."

                         

                        Yes, this is a rubbish change and means that the "monitor" level is useless as it contains no detail.

                         

                        As I metioned above, the only way round this is to change the protection rule to "store" evidence and then change your evidence storage level to hit-highlighting through the agent-configuration in the DLP policy console.

                         

                        Otherwise you'll get all files transfered to your evidence folder which could end up huge and your network slow.

                         

                        Of course, switching your evidence storage to just hit highlighting means no other protection rules can store actual valid evidence that you may actually want.

                         

                        McAfee - you have broken DLP with this change. Please re-instate evidence values at monitor level on protection rules.

                        • 9. Re: Upgrading DLP 3.0 to DLP 9.0

                          I have upgraded the DLP 3.0 to 9.0 and everything worked well, of course after I have read all upgrade documentation and this Post, but when I try to select one group or user from my domain I received this error messagem "Active Directory is unreachable".

                           

                          I looked at the DLP Log below and I have found information about communication problem with the server and domain. However when I revert the Snapshot virtualization to DLP version 3.0 the communication works well.

                           

                          Anybody knows what could be happening?

                           

                          ---> System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational.

                             at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
                             at System.DirectoryServices.DirectoryEntry.Bind()
                             at System.DirectoryServices.DirectoryEntry.get_AdsObject()
                             at System.DirectoryServices.PropertyValueCollection.PopulateList()
                             at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
                             at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
                             at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(Direc toryContext context, DirectoryEntry directoryEntry, String propertyName)
                             --- End of inner exception stack trace ---
                             at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(Direc toryContext context, DirectoryEntry directoryEntry, String propertyName)
                             at System.DirectoryServices.ActiveDirectory.Forest.GetForest(DirectoryContext context)
                             at CSFramework.Util.DirectoryServices.LdapLibrary.OLdapRootDSE.UpdateDomainsCache( )
                          Mar 18 5:36:34 PM 2010 (5468-1) [LDAP Library] [CSFramework.Util.DirectoryServices.LdapLibrary OLdapRootDSE::UpdateDomainsCache] Failed contacting forest: DomainName: System.DirectoryServices.ActiveDirectory.ActiveDirectoryServerDownException: The server is not operational.

                           

                          Thanks a lot

                           

                          Leandro

                          1 2 Previous Next