KB Article | Forcepoint Support

Problem Description

The following article is used to enable Microsoft Edge detection through the Forcepoint Endpoint: 
Forcepoint DLP Endpoint and Forcepoint One Endpoint do not monitor Microsoft Edge v40, v41, v42, or v44 by default in Windows 10 Creators Update

After this is performed, File Access monitoring is enabled for the Edge browser as an Endpoint Application. However, it is found that file uploads are still not blocking and users can upload confidential data through Edge.

Resolution

There is another executable that reads files in Windows named PickerHost.exe, which was introduced by Microsoft as a security measure to avoid ransomware. Please note that this is part of the Microsoft OS and should not be disabled as because other applications rely on it for functionality.

In order to allow for proper file access detection through Microsoft Edge, create a new Endpoint Application for "PickerHost.exe" and add it to the Endpoint Application Group containing Edge.
  1. Navigate to Policy Management > Resources > Endpoint Applications and create a new Endpoint Application
  2. Complete the fields as follows:
  • Name: Enter a name for this Endpoint Application such as Edge PickerHost
  • Initiated by: PickerHost.exe
  • Description: Add an optional description
  • Belongs to: Select the Endpoint Application Group that contains the Microsoft Edge entry covering only File Access
  1. Save and deploy changes, ensuring this Endpoint Application Group is contained with the Destination tab of a rule considering Edge transactions
  2. Update the Endpoint to the new Policy Version
Important As PickerHost.exe is a system process, do not include the Endpoint Application Group in any catch-all blocking policies, as this may introduce system instability. Please limit the condition of the rule(s) to consider actual exfiltration attempts.
 
Endpoint Application Setup
Endpoint Application Group Setup

Keywords: Forcepoint One Endpoint; Microsoft Edge; DLP  Incidents; Endpoint Application; File Access Enabled; PickerHost.exe;

Article Feedback



Thank you for the feedback and comments.