Remediation script limitations
- Remediation scripts are run after a response has been returned to the agent (Content Gateway, endpoint agent, protector, and so on). This means that remediation scripts cannot be used to alter data in motion.
- Remediation scripts do not have access to forensic information (the data the caused the incident).
- When there are several action plans configured for the same incident (in other words, when the incident matches multiple rules), all of the configured scripts are run in random order.
- On endpoint machines, scripts are run as the local system account. If impersonation is used, the endpoint installation folder is blocked for writing by anti-tampering protections.
- Remediation scripts cannot access the desktop. This means that:
- The script cannot be used to display messages to the user or open desktop applications.
- If scripting languages or executables generate popup windows (wscript echo, for example) the popups will be hidden and the script will hang.
- There is no built-in mechanism to stop scripts that are in a hung state.