KB Article | Forcepoint Support

Problem Description

My Forcepoint Network or Endpoint Discovery incidents do not appear to be triggering their configured Remediation Scripts properly. What could be the cause of this?

Resolution

Remediation Scripts are called by Forcepoint DLP components to perform custom operations when incidents are triggered. They are run asynchronously in a separate process and involves a simple call of the script when an incident is generated in conjunction with a reference to the incident XML. The current design supports python executable scripts and batch files only. Powershell scripts are not supported.

Policy Script

  • Spawned on the same server where the transaction was analyzed.
  • Uses the Policy Engine service credentials or credentials provided during configuration.

Endpoint Script

  • Spawned on the Endpoint machine.
  • Runs with Local System credentials or credentials provided during configuration.
  • Anti-tampering restrictions apply on the process.

Incident Management Script

  • Spawned on the Forcepoint Manager machine.
  • Incident Management scripts will run only as the service account running Forcepoint DLP services.

Executing python scripts directly is supported for Policy and Endpoint Remediation only.

 

Confirm Remediation Configuration

Confirm in the Action Plan for the rule(s) that the Remediation Script is selected and that the incident shows the script being executed under the History tab.
Note Within the default Move/Copy Remediation Scripts, the value DaysKeepActiveFiles is the minimum amount of days that a file has not been touched before the script copies or moves it to the quarantine location. That is, if the value is 10, the file has to have not been touched/modified within 10 days to be copied/moved. If it is set to 0, all files triggered will have the script applied on it.

Confirm Script Execution Permissions

Confirm that the configured account has proper computer access permissions on the intended machines.
Note that for Endpoint remediation, leaving the account credential fields blank will set the Endpoint to use the Local System account to run the Remediation Script.

Confirm Folder Permissions

Confirm that the account used to run the remediation script has read/write access to the destination folder location (if relevant) and that this permission extends to all sub-directories.
For testing purposes, consider sharing the folder with Everyone (Read/Write) temporarily.
If an administrative share (c$FolderName, etc) is used in the script, consider sharing the folder normally with a UNC path.

Confirm UAC Settings

In order for the Remediation Scripts to run in the background without user input, User Access Control on Windows machines must be lowered, disabled, or the Local System account should be used to run the script. However, even if UAC is set to disabled through the Control Panel, it may still be active in some form within a registry setting. This is most notable when permission prompts are still being received when attempting to move files around on the environment.

Execute the following command in a Command Prompt to determine the current setting:
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

A value of 0x1 means that it is Enabled. If it is enabled, the domain admins may not be able to inherit the proper rights.
In order to update the value, change the following key in the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system

Key = EnableLUA

Set this value to 0 to disable it.




Keywords: DLP Data Security Manager; Remediation Script; Endpoint Remediation; Discovery Issue; DLP Policy Issue; Quarantine Files; Move Copy Files; Python Script; Remediation Script Not Running

Article Feedback



Thank you for the feedback and comments.