1 Reply Latest reply: Sep 13, 2013 7:24 AM by wellu RSS

    problems with registered documents, events and evidence


      We have a fileserver that hosts confidential files. What we want is to monitor and log all activities regarding these files. Who moved them to a laptop and possibly copied them over to a USB drive.


      We have an ePO-server and HDLP on the laptops.


      First I defined this network fileshare as a registered documents repository and scanned the repository.


           1. Problem one: If a document is added to the repository it won't be classified by ePO until a scan is run. Do I need to add a tagging or classification rule based on location too for the same SECRET tag/classification?


      I created an application, filesystem and a removable device rule to monitor files classified as SECRET. Then I copied files from the share and openeded them and moved them to usb.


           2. Problem two: NO EVENTS IN EPO!


      Then I found a client task "Deploy DLP registered documents" and I ran that to laptop agents. Now we have events in ePO!


           3. Problem three: Do we need to scan the repository AND deploy to laptops every time there is a new document added to the repo? We are not monitoring all files between these gaps


      Every rule I made was hit and I tried to see what file was accessed by looking at the event in ePO.


           4. Problem four: Event tells me everything except what file was accessed?!?


      It seems there is an evidence error in the threat event log also. I double checked the evidence folder user rights and they are made according to HDLP installation guide. Administrators and Domain Computers can access the folder


           5. Problem five:     All McAfee related processes running on laptops seem to be running with my account and not NT Authority/Local System. How is my account going to be able to write to the evidence folder?

           6. Problem six:     If I need to save evidence for every file every time they are accessed we need huge storage for ePO. Is evidence required to get file information to the event? I mean now I don't get evidence to ePO and file info in event is always empty


      Any ideas on how to build this system using ePO would be nice. I don't want to hear anything like "Just give Everyone full rights to evidence. That's how it worked for me!"

        • 1. Re: problems with registered documents, events and evidence

          I will answer some problems myself:


          1. There is always delay with registered documents and deploying them, so you need a location based rule that tags documents

          3. yes

          4. McAfee DLP 9.3 installation guide will only tell you the change folder permissions. You also need to set the Share-permissions to match these. If Share-permissions only say Everyone -> Read you are not even checking the folder permissions. Write is denied every time. So put something like Domain Computers and Admins Read, Change to the share rights and remove "Everyone" from share rights

          5. it works after 4 is fixed

          6. You need a huge disk storage