4 Replies Latest reply on Dec 3, 2014 2:57 PM by vimalnavis

    event incident DLP

    rbarboza

      Hi

       

      My problem is:

       

      I created tags, long after the delete and replace by other tags, but in the event incident I still see the first tags(phantom), This tag  do not exist anymore, I remove the extension and agent dlp from master repository the epo and then I loaded the new extension  and agent,  I have same solution.

      Currently I have one tag only. Each time a rule with the new tag is detected appear to me all the tags should not be.

       


      The KB69017 did not solved my problem

      All this I see from the event monitor dlp


       

       


       

        • 1. Re: event incident DLP
          llamamecomoquieras

          Well, the events are stored in the BBDD, so the events will come back as it was created if you dont delete from the database...

           

          I will advise you to purge the events from database

           

          Best regards,

           

          Jose Maria

          • 2. Re: event incident DLP
            rbarboza

            Hi

             

            I deleted all events in the database , when before uninstalling extensions

            • 3. Re: event incident DLP
              epository

              Try looking in the registry for the machines reporting these events

               

              HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\DLP Manual Tagging

               

              HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\DLP Manual Tagging

               

              HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB95DD2C-8D74-4D48-80D4-681549F47188}

               

              Could be hard coded into the registry still or in the document properties....it appears the computers are not getting the new policy or cant delete it.

               

              I would try deleting all the .opg files on the computer if that is the case.

              • 4. Re: event incident DLP

                Ensure that the incident reported shows the latest policy. If the machine did not receive the latest policy where the old tag was removed it will still be reported back.