Loading...

Knowledge Center


How to install whitelist and evidence shares on a server other than ePolicy Orchestrator
Technical Articles ID:   KB83365
Last Modified:  5/13/2019
Rated:


Environment

McAfee Data Loss Prevention (DLP) Endpoint - all supported versions

For details of DLP Endpoint supported environments, see KB68147

Summary

Use the following steps to install whitelist and evidence shares on a Windows 2008 or 2012 server (all flavors) that is not an ePolicy Orchestrator (ePO) server:

NOTE: The ePO server does not have read permissions to decrypt the file on share.
  1. Right-click the evidence/whitelist folder and select Properties.
  2. Click the Sharing tab, and then click Advanced sharing.
  3. Select the Share this folder option.
  4. Modify the Share name as evidence$ / whitelist$, and click OK.
     
    NOTE: The $ ensures that the share is hidden.
     
  5. Click Permissions, select Domain ComputersGive Full control, and then click OK twice.
  6. Click the Security tab, and then click Advanced.
  7. On the Permissions tab, deselect the Include inheritable permissions from the object's parent option. A confirmation message is displayed explaining the effect this change has on the folder.
  8. Click Remove. The Permissions tab in the Advanced Security Settings window shows all permissions eliminated.
  9. Click Add to select an object type.
  10. In the Enter the object name to select field, type [Domain Computers], and then click OK. The Permission Entry dialog box is displayed.
  11. In the Allow column, select the following options: Create Files/Write Data and Create Folders/Append DataRead AttributesRead Extended Attributes, Read Permissions for the evidence folderList Folder/Read Data for the whitelist folder
  12. Verify that the Apply onto option applies to This folder, sub folders and files, and then click OK. The Advanced Security Settings window now includes Domain Computers.
  13. Click Add to select an object type.
  14. In the Enter the object name to select field, type Domain Users/Authenticated users or Everyone, and then click OK. The Permission Entry dialog box is displayed.
  15. In the Allow column, select the following options: Create Files/Write Data and Create Folders/Append DataRead AttributesRead Extended AttributesRead Permissions for the evidence folderList Folder/Read Data for the whitelist folder.
  16. Verify that the Apply onto option says This folder, sub folders and files, and then click OK. The Advanced Security Settings window now includes Your ePO computer object name.
  17. Click Add again to select an object type.

NOTES: 
Evidence$ share requirements:
  • For the Incident Manager to decrypt evidence files, you need only the ePO computer account (ePO computer objects), which must be MachineName$.
  • For Endpoint to send evidence files, you need the Domain Computers AD group or the named user that is used in the Agent Configuration (Domain Users, Authenticated Users, and Everyone). The Everyone user group also works, but is not needed.
Whitelist$ share needs only the DLP Endpoint Admins. This need can be covered by a DLP Endpoint Admins AD Group or named users (Domain Users, Authenticated Users, and Everyone). The Everyone user group also works, but is not needed.

Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.