Troubleshooting Forcepoint Data Remediation Scripts
- Article Number: 000018725
- Products: Forcepoint DLP, Forcepoint One Endpoint
- Version: 8.7, 8.6, 8.5, 20, 19, 18
- Last Published Date: July 14, 2020
My Forcepoint Network or Endpoint Discovery incidents do not appear to be triggering their configured Remediation Scripts properly. What could be the cause of this?
Remediation Scripts are called by Forcepoint DLP components to perform custom operations when incidents are triggered. They are run asynchronously in a separate process and involves a simple call of the script when an incident is generated in conjunction with a reference to the incident XML. The current design supports python executable scripts and batch files only. Powershell scripts are not supported.
Incident Management Script
Executing python scripts directly is supported for Policy and Endpoint Remediation only.
Confirm Remediation ConfigurationConfirm in the Action Plan for the rule(s) that the Remediation Script is selected and that the incident shows the script being executed under the History tab.
Note Within the default Move/Copy Remediation Scripts, the value DaysKeepActiveFiles is the minimum amount of days that a file has not been touched before the script copies or moves it to the quarantine location. That is, if the value is 10, the file has to have not been touched/modified within 10 days to be copied/moved. If it is set to 0, all files triggered will have the script applied on it.
Confirm Script Execution PermissionsConfirm that the configured account has proper computer access permissions on the intended machines.
Note that for Endpoint remediation, leaving the account credential fields blank will set the Endpoint to use the Local System account to run the Remediation Script.
Confirm Folder PermissionsConfirm that the account used to run the remediation script has read/write access to the destination folder location (if relevant) and that this permission extends to all sub-directories.
For testing purposes, consider sharing the folder with Everyone (Read/Write) temporarily.
If an administrative share (c$FolderName, etc) is used in the script, consider sharing the folder normally with a UNC path.
Confirm UAC Settings
In order for the Remediation Scripts to run in the background without user input, User Access Control on Windows machines must be lowered, disabled, or the Local System account should be used to run the script. However, even if UAC is set to disabled through the Control Panel, it may still be active in some form within a registry setting. This is most notable when permission prompts are still being received when attempting to move files around on the environment.
A value of 0x1 means that it is Enabled. If it is enabled, the domain admins may not be able to inherit the proper rights.
Key = EnableLUA
Set this value to 0 to disable it.
Keywords: DLP Data Security Manager; Remediation Script; Endpoint Remediation; Discovery Issue; DLP Policy Issue; Quarantine Files; Move Copy Files; Python Script; Remediation Script Not Running