First of all, we will talk about what is Evidence. Evidence is a copy of the file or email that triggered a security event. Enabling evidence storage is the default condition for McAfee DLP Endpoint. Creating an evidence storage folder and specifying the UNC path to the folder are requirements for applying a policy to McAfee ePO. The folder doesn’t need to be on the same computer as the McAfee DLP Database server, but it’s usually fine to put it there. You can unzip the folder onto the McAfee ePO server if you want. The important thing is that it is synchronized.
On the Mcafee ePO, we click on the “DLP Incident Manager” tab.
On the “Incident List” page, we click on the “incident” id.
When we open evidence in Incident, we get the following error. When we hover over the record, you will see the following pach. There is no registration on this pach. The evidence file created in Pach is not visible.
When we click on the Evidence file, the following error comes up. So this cannot go to the evidence file.
To check whether there is access to the Evidence file, we click on the “DLP Settings” tab from the ePO menu. Here it gives an error as in the screen below. It appears that it is not connecting to the Evidence file.
Test connection Failed, STATUS_PASSWORD_EXPIRED (0xc0000071): Authentication failed for 'epo' using com.hierynomus.smbj.auth.NtlmAuthenticator@33b5e59a
Resolving “evidence” File Path Access Error
It seems that there is no access to the “evidence” file because the “evidence” file path created in Pach is not visible and we cannot navigate to the “evidence” file. We first adjust the settings in the “Shared Storage” tab on the “DLP Settings” page to solve the problem. We provide access to the “evidence” file that we share on the ePO server.
Shared Storage Location (UNC): \\systemconfserver\evidence
User Name: systemconf\omer
Secondly, on the “Policy Catalog” page, we come to the “Dada Loss Prevention 11.6 > Windows Client Configuration > Default Windows Client Configuration” tab. Click the “Edit” button. We are using the “Default Windows Client Configuration” policy here. You need to edit which policy you are using.
We also provide access to the “evidence” file that we share on the ePO server in this policy. As a result of the settings we made, the problem has been resolved.
After allowing port 445 from the clients to the server where the Evidence file is located, the problem was solved. The solution output is as follows.