Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
445 Views 1 Reply Latest reply: Sep 13, 2013 7:24 AM by wellu RSS
wellu Newcomer 10 posts since
Apr 10, 2013
Currently Being Moderated

Aug 22, 2013 2:59 AM

problems with registered documents, events and evidence

We have a fileserver that hosts confidential files. What we want is to monitor and log all activities regarding these files. Who moved them to a laptop and possibly copied them over to a USB drive.


We have an ePO-server and HDLP on the laptops.


First I defined this network fileshare as a registered documents repository and scanned the repository.


     1. Problem one: If a document is added to the repository it won't be classified by ePO until a scan is run. Do I need to add a tagging or classification rule based on location too for the same SECRET tag/classification?


I created an application, filesystem and a removable device rule to monitor files classified as SECRET. Then I copied files from the share and openeded them and moved them to usb.


     2. Problem two: NO EVENTS IN EPO!


Then I found a client task "Deploy DLP registered documents" and I ran that to laptop agents. Now we have events in ePO!


     3. Problem three: Do we need to scan the repository AND deploy to laptops every time there is a new document added to the repo? We are not monitoring all files between these gaps


Every rule I made was hit and I tried to see what file was accessed by looking at the event in ePO.


     4. Problem four: Event tells me everything except what file was accessed?!?


It seems there is an evidence error in the threat event log also. I double checked the evidence folder user rights and they are made according to HDLP installation guide. Administrators and Domain Computers can access the folder


     5. Problem five:     All McAfee related processes running on laptops seem to be running with my account and not NT Authority/Local System. How is my account going to be able to write to the evidence folder?

     6. Problem six:     If I need to save evidence for every file every time they are accessed we need huge storage for ePO. Is evidence required to get file information to the event? I mean now I don't get evidence to ePO and file info in event is always empty


Any ideas on how to build this system using ePO would be nice. I don't want to hear anything like "Just give Everyone full rights to evidence. That's how it worked for me!"

More Like This

  • Retrieving data ...

Bookmarked By (0)


  • Correct Answers - 5 points
  • Helpful Answers - 3 points