DLP Endpoint Agent fails to upload evidence from the client computer to evidence share
Last Modified: 2023-10-30 17:44:52 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
DLP Endpoint Agent fails to upload evidence from the client computer to evidence share
Technical Articles ID:
KB81399
Last Modified: 2023-10-30 17:44:52 Etc/GMT Environment
Data Loss Prevention Endpoint (DLP Endpoint) - all supported versions For supported environments information, see KB68147 - Supported platforms for Data Loss Prevention Endpoint. Problem
After an incident with evidence is generated, the incident is uploaded to ePolicy Orchestrator (ePO). But, the evidence remains on the client in the Cause
There are four possible causes for this issue:
Solution 1
To verify the evidence path against the share on the ePO server, view the properties of the directory and click the Sharing tab. The UNC path for the evidence share is the correct display for Network Path.
Solution 2The default configuration for the DLP Endpoint Agent is to connect the local system to the ePO server (Windows Client Configuration -> Corporate Connectivity -> Corporate Network Detection -> Detect if Trellix DLP Endpoint is inside the corporate network).
The share must be properly configured to allow the agent to upload as the system. To verify that the share permissions are properly configured for access by the local system, perform the following test from the client computer:
Solution 3To view whether the Agent is online or offline:
Solution 4
Free up the disk space on the drive where the evidence share is created. This share most often resides on the ePO server in the default location NOTE: In the current function, there's nothing that can be done to upload the evidence in the root directory of the client's To submit a new product idea, go to the Enterprise Customer Product Ideas page.
Click Sign In and enter your ServicePortal User ID and password. If you do not yet have a ServicePortal or Community account, click Register to register for a new account on either website. For more information about product ideas, see KB60021 - How to submit a Product Idea. Solution 5
To enable Evidence Copy Service, perform the following steps:
Workaround
Currently, there's an issue in DLP Endpoint with client-ePO identification, so the default setting on "Windows Client Configuration -> Corporate Connectivity -> Corporate Network Detection -> Detect if Trellix DLP Endpoint is inside the corporate network -> by testing connectivity to Trellix ePO" isn't being detected. You can configure a server:port on the WCC policy (Corporate Network Detection -> by testing connectivity to any of the following corporate servers:). The DLP client will test connectivity to this server and will set the AgentOnline DWORD (view solution 3) registry key as 1 or 0. So, the DLP agent will be online or offline. Due to the issue, add the ePO server and the communication port (you can use DLP Diagnostic Tool -> General -> EPO to validate the IP and the port). NOTE: Engineering is working on this issue to provide a fix. Affected ProductsLanguages:This article is available in the following languages: |
|