search cancel

The source file and path are missing from the DLP Endpoint Incident Report exported to CSV file.

book

Article ID: 227424

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

In some cases the source file and source path is not always populated in an incident report when exported to CSV. 

Cause

We discovered that the fomc.dll on the Endpoint system image was registered incorrectly on the host system which meant that the agent was unable to capture the source path and file via Windows Explorer file copy.

Environment

Release : 15.x

Component : Endpoint Agent

Resolution

The fomc.dll is registered only once by the Endpoint Agent after installation

Re-registered the fomc.dll using the correct Endpoint Agent installation path as follows: 

Launch the command prompt with elevated access
Change the path to the Endpoint Agent install location and run below command: 

regsvr32 fomc64.dll  (If you have a 32 bit machine run regsvr32 fomc.dll instead)

 

Additional Information

There are some known behaviors where we cannot capture the source path and file as follows:

1. Where a user creates a file and performs a "Save As" from the file itself directly to the destination.
2. Where a user runs a command line copy of a file to the destination if the the agent advance setting Hooking.CMD_HOOKING.int is set to "0". This must be set to 1. 
3. If the disk/drive is unknown/fixed type.

See also the Broadcom Forum: DLP - Why some Endpoint incidents do not show a source path?