8 Replies Latest reply on Feb 9, 2012 7:47 AM by hatevessel

    HDLP evidence not available

      Hi, recently I'm testing HDLP's evidence function,

      and I found out that, when I use an client which is not in ANY domain,

      the evidence in that computer will never be write to the evidence Repository,

      but those computers which in in ANY domain will, even if they are not in the same domain as the Evidence Repository is.

       

      for example:

      my evidence Repository is on a server called EVIDENCE_SERVER (Win Server 2003)

      there's a share folder to storage the evidence files: \\EVIDENCE_SERVER\evidence$

      permission is set for everyone(for testing purpose)

      and this server is in the domain MCAFEETEST.com

       

      On my ePO server, in the DLP policies ---> Agent global settings, evidence tab,

      I choose "Copy evidence using this user account"

      and enter the administor account and password of EVIDENCE_SERVER

       

      then I tested it with two client,

      one is in another domain: TEST123.com,

      it can still write its evidence to \\EVIDENCE_SERVER\evidence$

      but the other client which does not belong to any domain just can't write it back.

      why does this happen?

       

      If I join the second client to any domain, those evidences will write to the repository .

      Thanks for your help!!

        • 1. Re: HDLP evidence not available
          geek

          Hi!

           

          Can I ask you if your client has created an evidence, what "connection state" do you see in DLP Monitor tab? (online\offline)?

          In situation when client does not belong to any domain.

           

          Regerds.

          • 2. Re: HDLP evidence not available

            It is offline

             

            In the policy I set copy evidence - Online/Offline

            • 3. Re: HDLP evidence not available
              rangerlj

              So...client must belong to any domain? If client belong to workgroup,it's not effect?

              • 4. Re: HDLP evidence not available
                georgec

                There are 2 options: the policy isn`t configured to replicate evidence in offline mode, or the machine doesn`t have permission to write to that share. The machine may have everyone- full control on the share, but there are also NTFS permissions at play. Check out the Effective permission for anonymous user and make sure it has only wirte perms. You can also try to access by hand the share from the workgroup machine and see if it works without providing credentials.

                \\EVIDENCE_SERVER\evidence$

                 

                Also, as of 9.1 you ca provide credentials in order to authenticate to shares for evidence replication. Try that out too.

                 

                George

                • 5. Re: HDLP evidence not available
                  rangerlj

                  Hi George,When client was joined in workgroup,can not read evidence...so,it's joined in domain,client could read evidence....

                  • 6. Re: HDLP evidence not available
                    geek

                    Hi George!

                     

                    This situation is not because the policy is not configured to replicate evidence in offline mode, or the machine doesn`t have permission to write to that share. This is beacuse agent can not correctly determine online\offline state when OS joind or not joind to domain.

                    When hdlp agent is thinking that his state in offline mode his not starting to move evidence from PC to evidence folders.

                     

                    Main question to McAfee guys is how exactly dlp agent determined his state (online\offline) ?

                    • 7. Re: HDLP evidence not available
                      rangerlj

                      I agree with your viewpoint.When a clinet in workgroup,it didn't upload evidence to evidence folders,changed it to domain,uploaded seccuessfully.

                      KB describe agent status is that  agent is workgroup mode or domain mode....

                      • 8. Re: HDLP evidence not available

                        I am having the precise same problem.  Client machine DEFINITELY has full access to the evidence share (tested using explorer to UNC path) and the credentials I have used in the agent settings are definitely correct (have typed in 10 times now to make sure).

                         

                        The problem is certainly because the machine is not on the domain and therefore 'offline'. 

                         

                        I would love to know how to fix this as many of our laptops will not be on the domain