9 Replies Latest reply on Feb 3, 2017 2:00 PM by vmnit

    DLPe 10 for Macintosh - Evidence File Storage

    vmnit

       

      Does anyone know the proper format for the Evidence Storage UNC settings for Macintosh? We are able to access evidence file for Windows incidents, but cannot for Macintosh for some weird reason. Keep getting this error "Evidence file is not available."

        • 1. Re: DLPe 10 for Macintosh - Evidence File Storage
          ahawke

          The syntax is correct.

           

          Are you using the same account to write files to evidence?

          • 2. Re: DLPe 10 for Macintosh - Evidence File Storage
            vmnit

             

            Yes, I'm using the same account. I have checked the DLP Operations event and have not seen any File Replication errors. Permissions to the evidence storage share is correct as well, event is if I open the share to Everyone.

             

            Can't seem to view Evidence File generated by Macintosh systems.

            • 3. Re: DLPe 10 for Macintosh - Evidence File Storage
              ahawke

              double checked rules to ensure evidence is enabled for MAC rules?

              • 4. Re: DLPe 10 for Macintosh - Evidence File Storage
                vmnit

                Yes, the option is enabled. I also check the DLP Policy Catalog and DLP Modules settings, which is all correct and is exactly the same as my Windows settings.

                • 5. Re: DLPe 10 for Macintosh - Evidence File Storage
                  hhoang

                  In your MAC client configuration policy there is a section for "corporate network detction" connectivity - make sure that the client system is able to connect correctly to whatever criteria is specified there. 

                   

                  Are you able to manually mount the share from the client system via command line? 

                   

                  #mount_smbfs //<userID>@<server>/<folder> <mount directory>

                  ex:  mount_smbfs //administrator@epo/evidence$ /mnt/

                   

                  Was the evidence file created on the client system?  Evidence is temporarily stored here before uploading to the server:  /usr/local/McAfee/DlpAgent/var/evidence

                  • 6. Re: DLPe 10 for Macintosh - Evidence File Storage
                    vmnit

                    We are using DLPe 10.0.0.123 for Macintosh and the OSX is a mixed of Sierra and El Capitan. It is really strange. I can mount to the evidence share from my Mac laptop, the evidence share is temporarily on the same server as the McAfee ePO server.

                     

                    It is is in POC mode, so I just allow the share to everyone the share is wide open. I do see that DLP Agent is generating evidence files on the local machine. Another bug I think I found is the DLP Agent for Macintosh will only report Evidence File and Hit count if you select the option 'Store original file as evidence' in the Reaction rule set. If you don't use this option incident will show up in ePO without and information on the file or hit, it just show that it hit a rule, but nothing else.

                     

                    Windows systems are reporting fine without the 'Store original file as evidence' option, and if we do store evidence files, we can view them with no issues. Just seem to be isolated to Macintosh systems. Are you guys running Macintosh DLPe Agent 10.0.0.123?

                    • 7. Re: DLPe 10 for Macintosh - Evidence File Storage
                      hhoang

                      I tested with OSX 10.11 (El Capitan) and DLPe 10.0.0.123.  Evidence was collected on my test system and uploaded to EPO without issue.  Is the MAC client configuration page set to 'connect to EPO' or resolve from a server list?  You can verify it is a connectivity issue just by applying a new revision ID to force the system to re-check connectivity.  If it is currently set to connect to EPO (the default setting) try specifying the EPO server's IP address in there.  It may be a DNS issue.

                      • 9. Re: DLPe 10 for Macintosh - Evidence File Storage
                        vmnit

                        Yes, it is set for 'Corporate Network Detection', and the servers that are configured are my McAfee ePO server, Agent Handlers, and Super Agents.