Diagnosing Endpoint FileSystem Monitoring issues

Article Id: 159972

Status: Published

Updated On: 13-06-2017 09:38

Legacy Id: TECH220069

Products:

Data Loss Prevention Endpoint Prevent , Data Loss Prevention Endpoint Discover

Issue/Introduction:

How can I tell if the Endpoint Filesystem monitoring is enabled properly?

Resolution:

Verify that the Agent is running and FS driver is loaded using the following commands:
sc query edpa
sc query vfsmfd
Verify that the FS driver is attached to the drive on which files were copied using the following commands:
fltmc instances -f vfsmfd
Here's sample screenshot of the output of the above command:

In the above case F: corresponds to a USB drive.
If all the above steps were satisfactory then verify the file filters are configured properly.
Verify that the device and the file is configured to be monitored.
Verify that the file is not over 30MB as detection has a limit and will not detect on files greater than 30MB.
If all the above steps are still satisfactory, then change the log level of FileSystemConnector component to FINER using the following command:

Open a command prompt.
cd to agent installed directory.
Type "vontu_sqlite3 -db=cg.ead -p=VontuStop" (without quotes)
This will display a sqlite prompt.
At the prompt type the following command:
insert into configuration values ('Logging', 'FileSystemMessageListenerLevel', 'str', 'FINER');
Type "quit".
Restart the agent using "sc stop edpa". Watchdog will restart the agent.
Copy the test file and verify that the log file contains the following logs. The logs should contain following entries corresponding to FileSytemMessageListener:

If the above events are logged then the FileSystem is enabled properly. The next step is to check Detection.