1 Reply Latest reply on Mar 24, 2015 7:37 AM by M Bagheryan M

    Evidence is not available for printing protection rule

    M Bagheryan M

      Here is the Scenario which I have with DLP. Anybody know what is going on with this new release?

       

      >> Reviewed the printing protection rule.

      >> Opened dlp incident manager console.

      >> Tried to access the evidence file which has already present.

      >> Error "evidence file is not available".

      >> Generated the new events and tried to violate the printing protection rule.

      >> Reviewed the repbuf folder, no evidence were stored locally

      >> New event has been generated in incident manager.

      >> Accessed the evidence file, but still the same error.

      >> Created the webpost protection rule to cross check.

      >> Tried to violate the policy by sending the .txt, .rft, .docx and .BMP.

      >> Those file were accessible for web post protection rule with the same format in dlp incident manager.

      >> Tried the same in printing protection rule, All the files are accessible only with .txt format for printing protection rule except .bmp file.

       

       

      <<I already Collected the log and it is possible to share (depends on replies)>>

        • 1. Re: Evidence is not available for printing protection rule
          M Bagheryan M

          this is it

           

          McAfee KnowledgeBase - Data Loss Prevention Endpoint 9.3.x Printing Protection Rules save Evidence of Office files as .t…

           

          Data Loss Prevention Endpoint 9.3.x Printing Protection Rules save Evidence of Office files as .txt files in Incident Manager

          Technical Articles ID:  KB81630
          Last Modified:  4/8/2014


           

          Environment

          McAfee Data Loss Prevention Endpoint (DLPE) 9.3.x

           

          Microsoft Office 2010, 2007, 2003

           

           

          Problem

          When saving Microsoft Office files as Evidence, some of the files may be .txt files in the DLPE Incident Manager.

           

           

          Cause

          This is normal behavior of the DLP Endpoint Agent, which evaluates the raw text that is sent to the printer.

           

          When possible, the Application Add-ins (configured in the Miscellaneous tab of the Agent Configuration) will save a copy of the original file as the evidence.  Otherwise, it will save a .txt version as evidence. In all cases, the rule will Block, Monitor, Notify-User,Request Justification and/or Store Evidence as configured.

           

           

          Solution

          This behavior is as designed.