Loading...

Knowledge Center


Data Loss Prevention Endpoint Agent fails to upload evidence from the client computer to the evidence share
Technical Articles ID:   KB81399
Last Modified:  12/12/2017
Rated:


Environment

McAfee Data Loss Prevention Endpoint (DLP Endpoint) 11.x, 10.x, 9.x

Summary

Microsoft ended extended support for Windows XP SP3 on April 8, 2014. For best results and optimal security, upgrade to a supported operating system. See KB78434 for details.

Problem

After generating an incident with evidence, the incident is uploaded to ePolicy Orchestrator (ePO), but the evidence remains on the client in the RepBuf directory (C:\Program Data\McAfee\DLP\Agent\RepBuf).

Cause

There are four possible causes for this issue:
  • The evidence share is incorrectly specified in the DLP Endpoint Agent Configuration. If the share location is misconfigured, the agent cannot upload evidence files.
  • The permissions for the evidence share do not allow for the user specified in the DLP Endpoint Agent Configuration to write to the evidence directory.
  • The DLP Endpoint agent is in an offline state. If the DLP Endpoint Agent is offline, the agent assumes it does not have a connection to the evidence share and does not try to upload evidence files.
  • The Evidence folder on the ePO server has run out of disk space. Events are then returned to the local system and stored in the C: Drive, rather than to the Repbuf folder on the local system.

Solution

To verify the evidence path against the share on the ePO server, view the properties of the directory and click the Sharing tab. The UNC path for the evidence share is the correct display for Network Path.

Solution

The default configuration for the DLP Endpoint Agent is to connect as the local system, and the share must be properly configured to allow the agent to upload as the system. To verify that the share permissions are properly configured for access by the local system, perform the following test from the client computer:
  1. Download psexec from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx.
  2. Extract the psexec.exe from the downloaded .zip file.
  3. Click Start, Run, type cmd, and click OK.
  4. Change the directory to the location of psexec.exe.
  5. Run the following command and start another cmd as the local system:

    psexec -hsi cmd
  6. Create a temporary connection to the share:

    pushd \\servername\evidence$
  7. Create a test directory using the following command:

    md test
  8. Create a test file using the following command:

    echo.>test\text.txt
  9. View the test directory in the evidence share and verify that the file was created.


NOTES:

  • If creating the test directory or file fails, the share is not configured to allow Create files/write data and Create folders/append data by the local system.
  • The steps to configure the evidence share for using the option Copy evidence using NETWORK SERVICE or logged on user are located in the "Create and configure repository folders" section of the DLPE Product Guide.

    For a full list of product documents, go to the ServicePortal at: http://support.mcafee.com. Click Knowledge Center, and select Product Documentation from the Knowledge Base list.
  • If the client is not a domain computer, use the Copy evidence using this user account option.
  • If the DLPE Agent Configuration is configured to use the Copy evidence using this user account option, you can perform the following test from the client to verify the share permissions:

    Start Windows Explorer using the Run as different user option to run as the specified user set in the DLP Endpoint Agent Configuration policy. Press the SHIFT key and right-click on Windows Explorer. The configuration for permissions for that specific user must be set to at least Create files / write data and Create folders/append data.

Solution

To view whether the Agent is online or offline:
  1. Click Start, Run, type regedit, and click OK.
  2. Navigate to and view the following registry key for the applicable system:

    X32 systems
    [HKEY_LOCAL_MACHINE\SOFTWARE \McAfee\DLP\Agent\AgentOnline]

    X64 systems
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\McAfee\DLP\Agent\AgentOnline]

    Agent Online - REG_DWORD = 1
    Agent Offline - REG_DWORD = 0
  3. The DLP Endpoint Agent determines whether the agent is online or offline by querying DNS for the ePO Server name listed in the following registry string value on the client:

    x32 systems
    [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\ePOServerList]

    X64 systems
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent\ePOServerList]

    NOTES: DNS must return the IP address of the ePO server listed in the same registry string value:
    • If DNS does not return the same IP address that is listed in the string or the name cannot be found, the agent is offline. You must resolve the DNS issue before the agent goes online and uploads evidence.
    • If there is more than one Agent Handler listed in the string, the agent tests the first Agent Handler listed. If a DMZ Agent Handler is listed first and the Published IP does not match the DNS record for the server because of a NAT, the agent is not online. For systems communicating on the internal network,  do not configure them to use a DMZ Agent Handler.
    • It is not required that the client is on the same Domain as ePO; it is only required that the client has access to the DNS that the ePO server is registered to.
    • The DLP AgentDiag tool does not pull the Agent Online status from the registry but rather performs a real-time query. If the AgentDiag tool shows online but the registry shows offline, the system could not resolve the DNS at the time the last network state change occurred.
    • If you are able to resolve the DNS and the AgentDiag tool shows offline, try changing the Relaxed logon interval setting in the Agent Configuration to delay the real-time query. The client systems must be restarted to pick up the change to the setting.

Solution

Free up disk space on the drive where the evidence share was created. This share most often resides on the ePO server in the default location (c:\dlp_resources\evidence).
 

NOTE: In the current functionality, there is nothing that can be done to upload the evidence in the root directory of the client's C: drive. The data can be deleted.
 
If you require a change to product functionality, submit a new product idea at:

https://community.mcafee.com/t5/Enterprise-Product-Ideas/idb-p/business-ideas

The Ideas forum is accessible only to McAfee business and enterprise customers. To access the Ideas forum, click Sign In and enter either your McAfee ServicePortal (https://support.mcafee.com) or McAfee Community User ID and password. If you do not yet have a McAfee ServicePortal or McAfee Community account, click Register to register for a new account on either website.

For more information about product ideas, see KB60021.

NOTE: The Ideas forum replaces the previous Product Enhancement Request system.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.