In some cases the source file and source path is not always populated in an incident report when exported to CSV.
We discovered that the fomc.dll on the Endpoint system image was registered incorrectly on the host system which meant that the agent was unable to capture the source path and file via Windows Explorer file copy.
Release : 15.x
Component : Endpoint Agent
The fomc.dll is registered only once by the Endpoint Agent after installation
Re-registered the fomc.dll using the correct Endpoint Agent installation path as follows:
Launch the command prompt with elevated access
Change the path to the Endpoint Agent install location and run below command:
regsvr32 fomc64.dll (If you have a 32 bit machine run regsvr32 fomc.dll instead)
There are some known behaviors where we cannot capture the source path and file as follows:
1. Where a user creates a file and performs a "Save As" from the file itself directly to the destination.
2. Where a user runs a command line copy of a file to the destination if the the agent advance setting Hooking.CMD_HOOKING.int is set to "0". This must be set to 1.
3. If the disk/drive is unknown/fixed type.
See also the Broadcom Forum: DLP - Why some Endpoint incidents do not show a source path?