1 Reply Latest reply: Jan 15, 2014 6:09 AM by epository RSS

    Troubleshooting DLP with the Registry

    epository

      Troubleshooting DLP can be a bit tricky on some boxes, so you can pick up some vital info out of the registry..

       

      So the SD card works on my computer and the following values are present:

       

      HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hdlpctrl\DeviceBlockingRules\{0 FD60794-747C-11E3-BC4C-763B84178E18}

       

      REACTION      17 Monitor/NOTIFY?

       

      RuleType     1

       

       

       

      USB Also Works:

       

      Its Serial Number is USB\VID_0930&PID_653D\0E907560F301F924

       

      HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hdlpctrl\DeviceBlockingRules\{2 0AFAC1D-7483-11E3-BBDE-6D780407B70B}

       

      REACTION           17          MONITOR/NOTIFY?

      RuleType           1

       

      AND

       

      HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hdlpctrl\DeviceBlockingRules\{6 664B415-7219-11E3-A919-57764925015C}

       

      REACTION 17          MONITOR/NOTIFY

      RuleType 1

       

       

      For BlueTooth...which should be blocked

       

      REACTION 19          BLOCK/MONITOR/NOTIFY

      RuleType 1

       

       

      AND Wireless Cards

       

      HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hdlpctrl\DeviceBlockingRules\{0 E4CB6A3-746D-11E3-83D8-2E49059D9621}

       

      REACTION 1          - BLOCK?

      RuleType 3          - so I think RuleType 3 is for Plug and Play Devices

       

       

      Also, you should be able to get a list of USB Serial Number Exemptions out of here if you make exemptions that way....it takes a little decoding, but a bit quicker than running the DLPE Diagnostic tool.

       

      Sometimes you just dont know if you are fighting a GPO, driver issue, bad media...etc

        • 1. Re: Troubleshooting DLP with the Registry
          epository

          A little additonal troubleshooting info:

           

          Also, you need to check C:ProgramDataMcAfeeCommon Framework\AgentEvents to see if DLP is generating .xml files there.

           

          These can be opened with the DLPE Diagnostic Tool from Mcafee...I had to get this from a friend so I am guessing McAfee Support provides it.

           

          Running this will give you a pretty good idea of what is happening.

           

          When you run a "Collect and Send Props", all .xml files should disappear from this folder.

           

          If you are seeing things being blocked, but no events showing up in the DLP Monitor,  go to the C:ProgramDataMcAfeeCommon Framework and open the EvtFiltr.ini to see if 19015 events are being blocked.  If they are, you need to go into Server Configuration in the EPO console to re-enable these.

           

          ADDITIONAL NOTE:  If programs like Roxio or IMGBurn are acting weird with DLP, try deleting the Upper Limits Filter value out of the registry, this can fix some of these issues.