5 Replies Latest reply on Aug 21, 2013 5:28 PM by vimalnavis

    DLP Monitor Issue

    bigmac5454

      Why does it take a long time for the DLP monitor to log a event. Example I plug a USB flash drive with is blocked the Montitor does not log this event until it want to there is no time limit set, just when it feels like it. Using DLP 9.1.6, with EPO 4.5.6, Agent 4.6

       

      thx

        • 1. Re: DLP Monitor Issue
          cnorris

          When the rule is triggered and the USB is blocked the event is queued on the system ready for when the ePO Agent next communicates with the ePO server. The communication takes place at intervals so you'll see the event in the monitor after the next scheduled interval. You can adjust this interval in the agent properties on the ePo server.

           

          Chris Norris

          Global Support Engineering Operations

          • 2. Re: DLP Monitor Issue
            bigmac5454

            I did a agent wakeup on my workstation after I plugged in usb flash. did not show up in log

            • 3. Re: DLP Monitor Issue
              cnorris

              How long after the wakeup call do you have to wait to see it?

              If you are watching the monitor screen you can refresh it manually, you can also set the refresh interval in the monitor by choosing Tools, Options and see what value the 'Automatic Refresh Interval (sec)' field is set to.

               

              Beyond that you may have a very slow event parser for which you'll need to log a case with us to help with.

               

              many thanks

               

              Chris Norris

              • 4. Re: DLP Monitor Issue
                bigmac5454

                seems to be working I changed the agent to communicate with EPO server to 5 mins. just wondering if that causes a lot of network traffic.

                • 5. Re: DLP Monitor Issue

                  Don't change the McAfee Agent ASCI to 5 mins. You will end up with lots of unnecessary network traffic.

                  I do not see any reason as to why you need to see USB plug events immediately. Increase the severity for rules that you need to see immediately and the McAfee Agent Event Forwarding will ensure that you get the events immediately.