Hi, We are facing an issue with the evidence folder. The permissions and sharing has been done as per the Mcafee installation guide. I am able to access the UNC path from the client PC and can also manually copy a file to it. The DLP monitor shows the evidence file but when we try to access it from ePO it gives the error 'Evidence not available' and there is no file in the UNC path. I have read a few issues in this regard, I have already tried providing access to Domain Users rather than Domain Computers to the UNC folder but the result is the same. All machines are domain computers and all users have AD accounts. Also, in the DLP logs the client connection status shows as offline.
Please let me know if there is anything else that needs to be checked.
Assuming all the permissions are setup correctly, DLPe Agent does not tranfer the Evidence file to the share if the Agent Status is "Offline". Once the Agent status changes back to "Online", DLPe will automatically move the Evidence file to the share.
Can the client resolve the DNS name of the ePO server? Get the agent diag tool from
and check the address/name of the ePO server and be sure that it can resolve that name. I've seen issues when a client PC has two NICs and the routing causes the DLP Agent to say "offline" while the McAfee Agent can still communicate with ePO.
Thanks for the reply.
I used the agent diag tool. The agent online has red mark while agent login has a green against it. The machine can resolve the epo server name and ip. But still the same.
The machine and epo server are in different subnets. Does this affect the online status of the agent? If the machine is in the same subnet as the epo server the agent online is green.
Message was edited by: cpcit on 2/28/13 12:21:12 AM CST
Check if you can send a ping from EPO to the Client. Form me, this looks like a network problem. Was the client installed in the subnet in which is is now?
If client and EPO are in different subnets, you need a router inbetween.
I've managed to resolve the issue. We had used a public IP address in the agent handler settings for the epo server. Once that was removed, internal machines show as online and the evidence is being copied to the UNC path. I am yet to check how it works from outside the network.