20th December 2024

What is Evidence in Mcafee DLP? Evidence File Path Access Error and Solution

First of all, we will talk about what is Evidence. Evidence is a copy of the file or email that triggered a security event. Enabling evidence storage is the default condition for McAfee DLP Endpoint. Creating an evidence storage folder and specifying the UNC path to the folder are requirements for applying a policy to McAfee ePO. The folder doesn’t need to be on the same computer as the McAfee DLP Database server, but it’s usually fine to put it there. You can unzip the folder onto the McAfee ePO server if you want. The important thing is that it is synchronized.

On the Mcafee ePO, we click on the “DLP Incident Manager” tab.

DLP Incident Manager
DLP Incident Manager

 

On the “Incident List” page, we click on the “incident” id.

Incident List
Incident List

 

When we open evidence in Incident, we get the following error. When we hover over the record, you will see the following pach. There is no registration on this pach. The evidence file created in Pach is not visible.

evidence file
evidence file

 

When we click on the Evidence file, the following error comes up. So this cannot go to the evidence file.

Evidence file is not available
Evidence file is not available

 

To check whether there is access to the Evidence file, we click on the “DLP Settings” tab from the ePO menu. Here it gives an error as in the screen below. It appears that it is not connecting to the Evidence file.

DLP Settings - evidence file
DLP Settings – evidence file

 

Test connection Failed, STATUS_PASSWORD_EXPIRED (0xc0000071): Authentication failed for 'epo' using com.hierynomus.smbj.auth.NtlmAuthenticator@33b5e59a
DLP Settings - evidence file
DLP Settings – evidence file

 

Resolving “evidence” File Path Access Error

It seems that there is no access to the “evidence” file because the “evidence” file path created in Pach is not visible and we cannot navigate to the “evidence” file. We first adjust the settings in the “Shared Storage” tab on the “DLP Settings” page to solve the problem. We provide access to the “evidence” file that we share on the ePO server.

LEARN MORE  What is Carbon Black EDR? How to Use It? - Part 2

For example;
Shared Storage Location (UNC): \\systemconfserver\evidence
User Name: systemconf\omer

Resolving "evidence" File Path Access Error
Resolving “evidence” File Path Access Error

 

Secondly, on the “Policy Catalog” page, we come to the “Dada Loss Prevention 11.6 > Windows Client Configuration > Default Windows Client Configuration” tab. Click the “Edit” button. We are using the “Default Windows Client Configuration” policy here. You need to edit which policy you are using.

Default Windows Client Configuration
Default Windows Client Configuration

 

We also provide access to the “evidence” file that we share on the ePO server in this policy. As a result of the settings we made, the problem has been resolved.

Shared Storage-Evidence
Shared Storage-Evidence

 

After allowing port 445 from the clients to the server where the Evidence file is located, the problem was solved. The solution output is as follows.

solution output
solution output

 

Leave a Reply

Your email address will not be published. Required fields are marked *