Data Loss Prevention

 View Only

  • 1.  No new incident

    Posted Jan 23, 2013 04:10 AM

    Hi! I installed a new DLP, but after setting no new incidents. There Incident Queue, but not new. For the test created two new Response Rules: One blocks and creates incident: "Endpoint Prevent: Block" and "All: Set Status: New", just creating another incident. Blocking works, but there is no incident. Tell me what's the problem?

     

    It looks like this:

            Messages
    (Last 10 sec)    		 Messages
    (Today)    		 Incidents
    (Today)    		 Incident Queue Message Wait Time
    Running Enforce Server 11.6.0.19032 N/A N/A N/A N/A 0 N/A  
    Running test_monitor 11.6.0.19032 Network Monitor, Network Prevent for E-mail, Network & Mobile Prevent for Web, Endpoint, Network Discover 8 38 536 0 925 0:00:00

     



  • 2.  RE: No new incident

    Posted Jan 23, 2013 05:30 AM

    Hello,

    Try to restart Vontu Monitor Controller service on the Enforce server.



  • 3.  RE: No new incident

    Posted Jan 23, 2013 06:11 AM

    Thank you very much helped. It is not clear problem.



  • 4.  RE: No new incident

    Broadcom Employee
    Posted Jan 23, 2013 06:30 AM

    is the end user getting pop up for the incident?



  • 5.  RE: No new incident

    Posted Jan 23, 2013 09:54 PM

    Yes, they got



  • 6.  RE: No new incident

    Broadcom Employee
    Posted Jan 24, 2013 01:40 AM

    It seems all the incidents are queued on your detection server (test_monitor). Could you check the connection between your Enforce server and test_monitor? I wonder there is some proble with your Enforce server to receive the incidents from test_monitor.



  • 7.  RE: No new incident

    Broadcom Employee
    Posted Jan 24, 2013 02:04 AM
    is the endpoint communicating to detection server. is detection server status ok?


  • 8.  RE: No new incident

    Posted Jan 24, 2013 02:23 AM

    Hello collegues,
    I have met on several installations in which service Monitor Controller freezes. A simple restart of the Vontu Monitor Controller service is helps.
    Once I tried to get to the bottom. I discovered that the file \Vontu\Protect\config\EnvironmentCheckUtility.properties contains the following lines:
    ecu.incidentpersister = VontuIncidentPersister.ex
    ecu.monitorcontroller = VontuMonitorController.ex

    Judging by the title config file - there are executables process files, for which we need to control. Following this logic, I changed lines to the following:
    ecu.incidentpersister = VontuIncidentPersister.exe
    ecu.monitorcontroller = VontuMonitorController.exe
    and I restarted the Enforce services. I do not remember exactly what happened in this case: either not result at all, or even worse.
    At the time, I wasn't able to connect with Symantec support. And I came out of the situation by creating a bat-file restarts VontuMonitorController service and put it to run in a schedule (every 3 hours) in the Windows Scheduler.
    Since then, I stopped to dig the matter and, if I meet the same problem, go on to the same algorithm.

    ---
    Best regards, Artem.



  • 9.  RE: No new incident

    Posted Feb 07, 2013 04:00 AM

    Hi Adaho,

    Please restart the vontu services is pririty manner as mentioned in DLP Admin guide.

    Incient persiter service might not writing the incident to database also check the AD integration and DB communication with enforce servers.



  • 10.  RE: No new incident

    Posted Feb 11, 2013 06:37 PM

    If the incidents aren't showing up there are several things to check.

     

    On the detection server check the incidents folder to see if the incidents are queuing up there. If they are, open a support case to determine the cause.

    In the GUI check the system -> overview -> enforce and make sure the monitor controller is running. If it isn't, start it.

    If the monitor controller was runing, restart it.

    If that doesn't fix the problem, restart all the servers.

    If that doesn't fix the problem, open a support case.

    JGT