STEP 1: Configure CopyFiles and MoveFiles

Steps

  1. Navigate to the RunCommands subdirectory of the Forcepoint DLP installation directory and open the CopyFiles.py script in a text editor (like Notepad).
  2. Use the Location field to define the destination of the copied files. This location may be either a network share (UNC path) accessible to all servers and/or endpoints running discovery, or a local path on the server and/or endpoints running discovery. For example:
    • Location = r'\\InfosecServer1\Quarantine'
    • Location = r'c:\secure\quarantine'.

    Using a network location is usually recommended but might not be possible if you are performing endpoint discovery on endpoints that are not always connected to the corporate network. When performing endpoint discovery and choosing a local quarantine, be sure to exclude that folder from all the discovery tasks to avoid triggering incidents on the quarantine.

    Notice that the remediation script does not perform any deletions from the quarantine location, so it is up to you to perform routine cleanup operations on this location.

  3. Save and close the CopyFiles script.
  4. In the same directory, open the MoveFiles.py script in a text editor.
  5. Use the Location field to define the destination of the moved files. Refer to step 2 for requirements in this field.
    • The DaysKeepActiveFiles parameter defines the number of days to keep files.
    • QuarantineMsg is a stubbed file created by the MoveFiles script.
  6. Save and close the MoveFiles script.
  7. In the Data Security module of the Forcepoint Security Manager, go to the Main > Policy Management > Resources Remediation Scripts page.
  8. Select New > Endpoint Script or Policy Script.
  9. Enter a name and description for one of the discovery scripts.
  10. Browse to the appropriate script: CopyFiles.py or MoveFiles.py.

    It is not necessary to complete the fields on the Linux tab of the Add Policy Remediation Script window.

  11. Enter a user name and password for an administrator that has all of the following:
    1. Read permissions to the archive folder
    2. Access to all directories in the network
    3. Read/write privileges to all files scanned in the discovery.

    CopyFiles needs read permissions to all scanned files, and read/write permission to the archive (quarantine) folder. MoveFiles also needs write permissions to all scanned files.

  12. Click OK.