3 Replies Latest reply on Dec 28, 2011 4:25 AM by georgec

    Sending evidence files via EPO?

      Hi all,


      Is it possible to configure DLP client to send evidence content via the EPO client, and not just by UNC path?  We are investigating replacing Symantec with McAfee, and this is something Symantec did quite happily.


      Just so I'm explaining myself properly, alot of our laptops will not be on the domain, on a different domain, across hundreds of sites, or will be working remotely for the vast majority of the time, therefore having the client writing to a single UNC path will be usually impossible as none of the organisations servers will be contactable for a variety of reasons.


      Currently we have it setup to write the evidence files locally to the machine, but still have it reporting back all events.  So we can see all the activity, we just won't have direct access to the files themselves.


      Is there any way to configure this the way we want?  I've been searching through the documentation/help file and I can no longer see the wood for the trees, so to speak.



        • 1. Re: Sending evidence files via EPO?

          What's the difference if the evidence replicates through the McAfee Agent or UNC? It's gonna end un on the epo server in both cases (most of the times, depening on where sql is stored). You can provide credentials for replication in case you have problems with machines from multiple domains.

          Anyway, the evidence is stored until the machine has connectivity to transfer it. The parameters for storing the evidence are under the agent configuration (max total size, file max size, min free space in MB and %)

          • 2. Re: Sending evidence files via EPO?

            Hi George,


            Thanks for your response.  Unfortunately, some laptops will never be on our WAN (working completely remotely), so there will never be the opportunity for the machine to connect to the UNC path, hence wondering whether it could be forced out via the EPO client.  Not to worry though, I realise it's going to be a limitation of the way our network is setup at the moment.


            Thanks for the other pointers though.  Makes sense

            • 3. Re: Sending evidence files via EPO?



              Alterinative: You can put an agent handler in DMZ that will allow you to get the events, but still won't get the evidence. You still get the event though.....