Modifying the Forensic Folder and Database Settings

Administrators can change the location and deletion schedule of the forensic folder, and the maximum size of files that agents upload by modifying OfficeScan’s INI files.

Warning:

Changing the location of the forensic folder after logging Data Loss Prevention incidents can cause a disconnect between the database data and the location of existing forensic files. Trend Micro recommends manually migrating any existing forensic files to the new forensic folder after modifying the forensic folder location.

The following table outlines the server settings available in the <Server installation folder>\PCCSRV\Private\ofcserver.ini file located on the OfficeScan server.

Table 1. Forensic Folder Server Settings in PCCSRV\Private\ofcserver.ini

Objective

INI Setting

Values

Enabling the user-defined forensic folder location

[INI_IDLP_SECTION]

EnableUserDefinedUploadFolder

0: Disable (default)

1: Enable

Configuring the user-defined forensic folder location

[INI_IDLP_SECTION]

UserDefinedUploadFolder

Note:
  • Administrators must enable the EnableUserDefinedUploadFolder setting before Data Loss Prevention applies this setting.

  • The default location of the forensic folder is:

    <Server installation folder>\PCCSRV\Private\DLPForensicData

  • The user-defined forensic folder location must be a physical drive (internal or external) on the server machine. OfficeScan does not support mapping a network drive location.

Default value: <Please replace this value with customer defined folder path. For example: C:\VolumeData\OfficeScanDlpForensicData>

User-defined value: Must be the physical location of a drive on the server machine

Enabling the purging of forensic data files

[INI_IDLP_SECTION]

ForensicDataPurgeEnable

0: Disable

1: Enable (default)

Configuring the time frequency of the forensic data file purge check

[INI_IDLP_SECTION]

ForensicDataPurgeCheckFrequency

Note:
  • Administrators must enable the ForensicDataPurgeEnable setting before OfficeScan applies this setting.

  • OfficeScan only deletes data files that have passed the expiry date specified in the ForensicDataExpiredPeriodInDays setting.

1: Monthly, on the first day of the month at 00:00

2: Weekly (default), every Sunday at 00:00

3: Daily, every day at 00:00

4: Hourly, every hour at HH:00

Configuring the length of time to store forensic data files on the server

[INI_IDLP_SECTION]

ForensicDataExpiredPeriodInDays

Default value (in days): 180

Minimum value: 1

Maximum value: 3650

Configuring the time frequency of the forensic file disk space check

[INI_SERVER_DISK_THRESHOLD]

MonitorFrequencyInSecond

Note:

If the available disk space in the forensic data folder is less than the value configured for the InformUploadOnDiskFreeSpaceInGb setting, OfficeScan records an event log on the web console.

Default value (in seconds): 5

Configuring the upload frequency of the forensic file disk space check

[INI_SERVER_DISK_THRESHOLD]

IsapiCheckCountInRequest

Note:

If the available disk space in the forensic data folder is less than the value configured for the InformUploadOnDiskFreeSpaceInGb setting, OfficeScan records an event log on the web console.

Default value (in number of files): 200

Configuring the minimum disk space value that triggers a limited disk space notification

[INI_SERVER_DISK_THRESHOLD]

InformUploadOnDiskFreeSpaceInGb

Note:

If the available disk space in the forensic data folder is less than the value configured, OfficeScan records an event log on the web console.

Default value (in GB): 10

Configuring the minimum space available to upload forensic data files from agents

[INI_SERVER_DISK_THRESHOLD]

RejectUploadOnDiskFreeSpaceInGb

Note:

If the available disk space in the forensic data folder is less than the value configured, OfficeScan agents do not upload forensic data files to the server and OfficeScan records an event log on the web console.

Default value (in GB): 1

The following table outlines the OfficeScan agent settings available in the <Server installation folder>\PCCSRV\ofcscan.ini file located on the OfficeScan server.

Table 2. Forensic File Agent Settings in PCCSRV\ofcscan.ini

Objective

INI Setting

Values

Enabling the uploading of forensic data files to the server

UploadForensicDataEnable

0: Disable

1: Enable (default)

Configuring the maximum size of files that the OfficeScan agent uploads to the server

UploadForensicDataSizeLimitInMb

Note:

The OfficeScan agent only sends files that are less than this size to the server.

Default value (in MB): 10

Minimum value: 1

Maximum value: 2048

Configuring the length of time to store forensic data files on the OfficeScan agent

ForensicDataKeepDays

Note:

The OfficeScan agent deletes forensic data files that have passed the expiry date specified every day at 11:00 am.

Default value (in days): 180

Minimum value: 1

Maximum value: 3650

Configuring the frequency in which the OfficeScan agent checks for server connectivity

ForensicDataDelayUploadFrequenceInMinutes

Note:

OfficeScan agents that are unable to upload forensic files to the server automatically try to resend the files using the specified time interval.

Default value (in minutes): 5

Minimum value: 5

Maximum value: 60