7 Replies Latest reply on Apr 30, 2015 2:24 AM by palex

    Mcafee DLP dont copy file to evidence just show path of the file for Removable storage protection rule




      We are using DLp 9.3 with EPO 4.6 on Win2008R2 Server.

      The problem i have is that DLP shows for detected files via the "Removable storage protection rules" just the source file path in the DLP logs.

      The "Removable storage protection rule" is configured to store this files in the evidence folder but it just show the path to the source there and if a user already deleted the file in the source we can not observe what was in the file.

      The same is working quite well for the "Printing protection rule" there the DLP shows and stores the file in the evidence folder and it is possible to look to the file via the DLP monitor logs.

      I checked both rules to find a difference but there are the same with the option "store evidence Online/Offline" does somebody has any idea what could be the reason or is it a common bug with DLP 9.3?


      On page 161 of the McAfee Data Loss Prevention Endpoint 9.3.0 Guide is stated that DLP should make a copy of the file for "Removable storage protection rules"



      best regards