Modifying the Forensic Folder and Database Settings

Views:

Administrators can change the location and deletion schedule of the forensic folder, and the maximum size of files that agents upload by modifying Apex One’s INI files.

Warning:

Changing the location of the forensic folder after logging Data Loss Prevention incidents can cause a disconnect between the database data and the location of existing forensic files. Trend Micro recommends manually migrating any existing forensic files to the new forensic folder after modifying the forensic folder location.

The following table outlines the server settings available in the <Server installation folder>\PCCSRV\Private\ofcserver.ini file located on the Apex One server.

Table 1. Forensic Folder Server Settings in PCCSRV\Private\ofcserver.ini
Objective	INI Setting	Values
Enabling the user-defined forensic folder location	[INI_IDLP_SECTION] `EnableUserDefinedUploadFolder`	0: Disable (default) 1: Enable
Configuring the user-defined forensic folder location	[INI_IDLP_SECTION] `UserDefinedUploadFolder` Note: Administrators must enable the `EnableUserDefinedUploadFolder` setting before Data Loss Prevention applies this setting. The default location of the forensic folder is: <Server installation folder>\PCCSRV\Private\DLPForensicData The user-defined forensic folder location must be a physical drive (internal or external) on the server machine. Apex One does not support mapping a network drive location.	Default value: <Please replace this value with customer defined folder path. For example: C:\VolumeData\OfficeScanDlpForensicData> User-defined value: Must be the physical location of a drive on the server machine
Enabling the purging of forensic data files	[INI_IDLP_SECTION] `ForensicDataPurgeEnable`	0: Disable 1: Enable (default)
Configuring the time frequency of the forensic data file purge check	[INI_IDLP_SECTION] `ForensicDataPurgeCheckFrequency` Note: Administrators must enable the `ForensicDataPurgeEnable` setting before Apex One applies this setting. Apex One only deletes data files that have passed the expiry date specified in the `ForensicDataExpiredPeriodInDays` setting.	1: Monthly, on the first day of the month at 00:00 2: Weekly (default), every Sunday at 00:00 3: Daily, every day at 00:00 4: Hourly, every hour at HH:00
Configuring the length of time to store forensic data files on the server	[INI_IDLP_SECTION] `ForensicDataExpiredPeriodInDays`	Default value (in days): 180 Minimum value: 1 Maximum value: 3650
Configuring the time frequency of the forensic file disk space check	[INI_SERVER_DISK_THRESHOLD] `MonitorFrequencyInSecond` Note: If the available disk space in the forensic data folder is less than the value configured for the `InformUploadOnDiskFreeSpaceInGb` setting, Apex One records an event log on the web console.	Default value (in seconds): 5
Configuring the upload frequency of the forensic file disk space check	[INI_SERVER_DISK_THRESHOLD] `IsapiCheckCountInRequest` Note: If the available disk space in the forensic data folder is less than the value configured for the `InformUploadOnDiskFreeSpaceInGb` setting, Apex One records an event log on the web console.	Default value (in number of files): 200
Configuring the minimum disk space value that triggers a limited disk space notification	[INI_SERVER_DISK_THRESHOLD] `InformUploadOnDiskFreeSpaceInGb` Note: If the available disk space in the forensic data folder is less than the value configured, Apex One records an event log on the web console.	Default value (in GB): 10
Configuring the minimum space available to upload forensic data files from agents	[INI_SERVER_DISK_THRESHOLD] `RejectUploadOnDiskFreeSpaceInGb` Note: If the available disk space in the forensic data folder is less than the value configured, agents do not upload forensic data files to the server and Apex One records an event log on the web console.	Default value (in GB): 1

The following table outlines the Security Agent settings available in the <Server installation folder>\PCCSRV\ofcscan.ini file located on the Apex One server.

Table 2. Forensic File Agent Settings in PCCSRV\ofcscan.ini
Objective	INI Setting	Values
Enabling the uploading of forensic data files to the server	`UploadForensicDataEnable`	0: Disable 1: Enable (default)
Configuring the maximum size of files that the Security Agent uploads to the server	`UploadForensicDataSizeLimitInMb` Note: The Security Agent only sends files that are less than this size to the server.	Default value (in MB): 10 Minimum value: 1 Maximum value: 20
Configuring the length of time to store forensic data files on the Security Agent	`ForensicDataKeepDays` Note: The Security Agent deletes forensic data files that have passed the expiry date specified once per day based on the previous day's purge time.	Default value (in days): 180 Minimum value: 1 Maximum value: 3650
Configuring the frequency in which the Security Agent checks for server connectivity	`ForensicDataDelayUploadFrequenceInMinutes` Note: Security Agents that are unable to upload forensic files to the server automatically try to resend the files using the specified time interval.	Default value (in minutes): 5 Minimum value: 5 Maximum value: 60