Knowledge Center

Data Loss Prevention Endpoint Agent fails to upload evidence from the client computer to the evidence share
Technical Articles ID:   KB81399
Last Modified:  11/7/2019


McAfee Data Loss Prevention (DLP) Endpoint - all supported versions

For details of DLP Endpoint supported environments, see KB68147


Microsoft ended extended support for Windows XP SP3 on April 8, 2014. For best results and optimal security, upgrade to a supported operating system. See KB78434 for details.


After an incident with evidence is generated, the incident is uploaded to ePolicy Orchestrator (ePO). But, the evidence remains on the client in the RepBuf directory (C:\Program Data\McAfee\DLP\Agent\RepBuf).


There are four possible causes for this issue:
  • The evidence share is incorrectly specified in the DLP Endpoint Agent Configuration. If the share location is misconfigured, the agent can't upload evidence files.
  • The permissions for the evidence share do not allow for the user specified in the DLP Endpoint Agent Configuration to write to the evidence directory.
  • The DLP Endpoint agent is in an offline state. If the DLP Endpoint Agent is offline, the agent assumes it does not have a connection to the evidence share and does not try to upload evidence files.
  • The Evidence folder on the ePO server has run out of disk space. Events are then returned to the local system and stored in the C: Drive, rather than to the Repbuf folder on the local system.


To verify the evidence path against the share on the ePO server, view the properties of the directory and click the Sharing tab. The UNC path for the evidence share is the correct display for Network Path.


The default configuration for the DLP Endpoint Agent is to connect as the local system. The share must be properly configured to allow the agent to upload as the system. To verify that the share permissions are properly configured for access by the local system, perform the following test from the client computer:
  1. Download psexec from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx.
  2. Extract psexec.exe from the downloaded .zip file.
  3. Click Start, Run, type cmd, and click OK.
  4. Change the directory to the location of psexec.exe.
  5. Run the following command and start another cmd as the local system:

    psexec -hsi cmd
  6. Create a temporary connection to the share:

    pushd \\servername\evidence$
  7. Create a test directory using the following command:

    md test
  8. Create a test file using the following command:

  9. View the test directory in the evidence share and verify that the file was created.


  • If creating the test directory or file fails, the share is not configured to allow Create files/write data and Create folders/append data by the local system.
  • The steps to configure the evidence share for using the option Copy evidence using NETWORK SERVICE or logged on user are located in the "Create and configure repository folders" section of the DLPE Product Guide.

    For McAfee product documents, go to the Enterprise Product Documentation portal at https://docs.mcafee.com.
  • If the client is not a domain computer, use the Copy evidence using this user account option.
  • If the DLPE Agent Configuration is configured to use the Copy evidence using this user account option, you can perform the following test from the client to verify the share permissions:

    Start Windows Explorer using the Run as different user option to run as the specified user set in the DLP Endpoint Agent Configuration policy. Press the SHIFT key and right-click on Windows Explorer. The configuration for permissions for that specific user must be set to at least Create files / write data and Create folders/append data.


To view whether the Agent is online or offline:
  1. Click Start, Run, type regedit, and click OK.
  2. Navigate to and view the following registry key for the applicable system:

    X32 systems

    X64 systems

    Agent Online - REG_DWORD = 1
    Agent Offline - REG_DWORD = 0
  3. The DLP Endpoint Agent determines whether the agent is online or offline. It queries DNS for the ePO Server name listed in the following registry string value on the client:

    x32 systems
    [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\ePOServerList]

    X64 systems
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent\ePOServerList]

    NOTES: DNS must return the IP address of the ePO server listed in the same registry string value:
    • If DNS does not return the same IP address that is listed in the string or the name can't be found, the agent is offline. You must resolve the DNS issue before the agent goes online and uploads evidence.
    • If there is more than one Agent Handler listed in the string, the agent tests the first Agent Handler listed. If a DMZ Agent Handler is listed first and the Published IP address does not match the DNS record for the server because of a NAT, the agent is not online. For systems communicating on the internal network, do not configure them to use a DMZ Agent Handler.
    • It is not required that the client is on the same Domain as ePO. It is only required that the client has access to the DNS that the ePO server is registered to.
    • The DLP AgentDiag tool does not pull the Agent Online status from the registry but rather performs a real-time query. If the AgentDiag tool shows online but the registry shows offline, the system could not resolve the DNS at the time the last network state change occurred.
    • If you can resolve the DNS and the AgentDiag tool shows offline, try changing the Relaxed logon interval setting in the Agent Configuration to delay the real-time query. The client systems must be restarted to pick up the change to the setting.


Free up the disk space on the drive where the evidence share was created. This share most often resides on the ePO server in the default location (c:\dlp_resources\evidence).

NOTE: In the current functionality, there is nothing that can be done to upload the evidence in the root directory of the client's C: drive. The data can be deleted.
If you require a change to product functionality, submit a new product idea at:


The Ideas forum is accessible only to McAfee business and enterprise customers. Click Sign In and enter your McAfee ServicePortal (https://support.mcafee.com) User ID and password. If you do not yet have a McAfee ServicePortal or McAfee Community account, click Register to register for a new account on either website.

For more information about product ideas, see KB60021.

NOTE: The Ideas forum replaces the previous Product Enhancement Request system.


To enable Evidence Copy Service, perform the following steps:
  1. Log on to the ePO Console.
  2. Select the Policy Catalog tab, click Windows Client Configuration Policy.
  3. Click Operation Modes and Modules and enable Evidence Copy Service.

Rate this document

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.