Can I ask you if your client has created an evidence, what "connection state" do you see in DLP Monitor tab? (online\offline)?
In situation when client does not belong to any domain.
It is offline
In the policy I set copy evidence - Online/Offline
So...client must belong to any domain? If client belong to workgroup,it's not effect?
There are 2 options: the policy isn`t configured to replicate evidence in offline mode, or the machine doesn`t have permission to write to that share. The machine may have everyone- full control on the share, but there are also NTFS permissions at play. Check out the Effective permission for anonymous user and make sure it has only wirte perms. You can also try to access by hand the share from the workgroup machine and see if it works without providing credentials.
Also, as of 9.1 you ca provide credentials in order to authenticate to shares for evidence replication. Try that out too.
Hi George,When client was joined in workgroup,can not read evidence...so,it's joined in domain,client could read evidence....
This situation is not because the policy is not configured to replicate evidence in offline mode, or the machine doesn`t have permission to write to that share. This is beacuse agent can not correctly determine online\offline state when OS joind or not joind to domain.
When hdlp agent is thinking that his state in offline mode his not starting to move evidence from PC to evidence folders.
Main question to McAfee guys is how exactly dlp agent determined his state (online\offline) ?
I agree with your viewpoint.When a clinet in workgroup,it didn't upload evidence to evidence folders,changed it to domain,uploaded seccuessfully.
KB describe agent status is that agent is workgroup mode or domain mode....
I am having the precise same problem. Client machine DEFINITELY has full access to the evidence share (tested using explorer to UNC path) and the credentials I have used in the agent settings are definitely correct (have typed in 10 times now to make sure).
The problem is certainly because the machine is not on the domain and therefore 'offline'.
I would love to know how to fix this as many of our laptops will not be on the domain