未完全复制到证据共享位置且早于配置的天的证据文件不能从事件管理器访问
Last Modified: 2023-04-13 13:06:23 Etc/GMT
Disclaimer
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
未完全复制到证据共享位置且早于配置的天的证据文件不能从事件管理器访问
Technical Articles ID:
KB96280
Last Modified: 2023-04-13 13:06:23 Etc/GMT EnvironmentSummary
在 DLP 中发生事件冲突时,会将加密文件复制到本地磁盘中的 " 注意: 仅当 DLP Endpoint 与 ePolicy Orchestrator (ePO)和证据共享位置成功连接时,才会执行清理活动。 Problem
尝试从 ePO 的事件管理器访问文件时,会针对证据共享中的未完成证据文件显示错误消息 " 如果字段的值 "最大本地证据期限(天)" 不足,则很少可能会受到一些证据文件的影响。这些受影响的证据文件是通过从证据共享路径关闭或断开连接的端点系统创建的,而不是配置的天数。 Cause
当发生事件违规时,如果客户端系统在文件复制过程中未连接到证据共享位置,则在恢复连接之前,证据文件不会被复制。当超过配置的天数,并且稍后建立连接时,会删除这些文件。因此,证据文件不会从 ePO 中的事件管理器下载。
Solution
有关重试复制操作并完成此过程的其他缓冲时间,请在 "最大本地证据期限(天)" 字段中输入更高的值。更高的值可确保该问题得以避免,但在证据共享位置中出现不完整的证据文件的可能性也更小。 DisclaimerThe content of this article originated in English. If there are differences between the English content and its translation, the English content is always the most accurate. Some of this content has been provided using Machine Translation translated by Microsoft.
Affected ProductsLanguages:This article is available in the following languages: |
|