/
Forcepoint FSM Endpoint Remediation Script

Forcepoint FSM Endpoint Remediation Script

Owned by Space Sync for Confluence
Last updated: Apr 16, 2025

The hybrid batch/Powershell script has been deprecated and the functionality is now provided by rremediate.exe

This approach allows for:

  • Immutability: Executables are less prone to tampering compared to scripts.

  • Compliance: Many organizations restrict PowerShell usage due to security concerns.

  • Simplicity: Executables eliminate the complexity of hybrid batch/PowerShell scripts.

  • Robustness: Improved error handling and path processing make RRemediate.exe more reliable for diverse file systems and network paths.

To learn more please visit:

https://getvisibility.atlassian.net/wiki/spaces/KBTES/pages/1134067762

Overview

This document explains the Forcepoint DLP remediation script (remediation.bat) that applies classification tags to files identified in DLP incidents. The script is designed to be used as an Endpoint Remediation script with Forcepoint FSM (Forcepoint Security Manager).

You need your GVClient to be updated to atleast version 4.7 to use this functionality.

Versions prior to the one above will not run under SYSTEM conext, which is used when running remediation scripts inside FSM.

Script Architecture

Hybrid Batch/Powershell Design

The script uses a hybrid approach combining batch and Powershell in a single file:

  1. Batch Wrapper (Outer Layer)

    • The file has a .bat extension but contains both batch and Powershell code

    • The batch portion executes first and creates a temporary Powershell file

    • This technique allows execution in environments with restrictive Powershell execution policies

  2. Powershell Core (Inner Layer)

    • The main functionality is implemented in Powershell

    • Powershell code is contained within the file after the batch section

    • The batch wrapper extracts the entire file content to a temporary PS1 file

How the Hybrid Approach Works

The script uses a clever technique to combine both languages:

<# :: @echo off set /a "ps=%random%" copy /y "%~f0" "%~dpn0_%ps%.ps1" > NUL powershell -executionpolicy bypass -noprofile -file "%~dpn0_%ps%.ps1" %* del %~dpn0_%ps%.ps1 exit /b %ERRORLEVEL% #>

This works because:

  • In batch, <# :: is treated as a label

  • The batch code creates a temporary PS1 file from itself

  • It runs Powershell with execution policy bypass

  • The Powershell interpreter ignores the batch portion as a comment

  • The temporary file is deleted after execution

Integration with Forcepoint FSM

Prerequisites

  • GVClient Agent must be installed on target machines with at least version 4.7

  • GVClient is properly configured and has connected at least once to the server to download configuration

  • Microsoft Office installation is NOT required for this script to function, only metadata is changed

  • The script WILL ONLY RUN under SYSTEM context, it will not run when started from under any other user, if started in theterminal this will be presented:

PS C:\Remediation> .\remediation.bat ===== Forcepoint DLP Remediation Script v2.6 ===== This script is designed to run only under SYSTEM user inside Forcepoint DLP Remediation environment. Current user: LOL\Marcel Purpose: This script classifies files identified in Forcepoint DLP incidents. It applies classification tags using GVClient CLI. Usage: .\remediation.bat <IncidentFilePath> <ClassificationType> Parameters: IncidentFilePath - Path to the incident file containing file information ClassificationType - The classification type to apply to the identified files Example: .\remediation.bat "C:\path\to\incident.xml" "Confidential" Version Information: Version: 2.6 Last Updated: 2025-03-15 Note: This script should not be run manually. It is automatically executed by Forcepoint DLP when a remediation action is triggered. ========================================

Classification Parameters

When configuring the remediation script in Forcepoint FSM, you must specify a classification parameter that will be passed to the script. The default Getvisibility classification values are:

  • "Public"

  • "General Business"

  • "Confidential"

  • "Highly-Confidential"

This parameter determines the classification tag that will be applied to files identified in DLP incidents.

Setup in Forcepoint FSM

  1. In the Forcepoint Security Manager, navigate to Policy Management > Resources > Remediation Scripts

  2. Select New > Endpoint Script

  3. Enter a name and description for the script

  4. Upload the remediation.bat file

  5. In the Arguments field, enter the desired classification value (e.g., "Confidential")

  6. Add the script to an action plan under the Run endpoint remediation script option

  7. Add the action plan to a policy in the Severity & Action page

  8. Deploy your changes

image-20250315-234945.png
Example: Setting up a script to apply “General Business” classification

Execution Flow

When a DLP incident is triggered:

  1. Forcepoint DLP creates an XML file containing incident details

  2. The remediation script is executed with the incident file path as a first parameter andclassification as second

  3. The script extracts file paths from the incident XML

  4. It uses GVClient CLI to apply classification tags to the identified files

  5. Results are logged for auditing purposes

Script Functionality

The script performs the following key functions:

  1. Validation

    • Verifies it's running as SYSTEM user (required for Forcepoint DLP remediation)

    • Validates required parameters (incident file path and classification type)

  2. Incident Processing

    • Parses the incident XML file to extract file paths

    • Normalizes file paths to ensure proper format

    • Verifies file existence before attempting classification

  3. Classification

    • Uses GVClient CLI to apply classification tags to identified files

    • Logs all actions and results for auditing

  4. Logging

    • Creates detailed logs in a public location

    • Records execution context, parameters, and results

    • Provides troubleshooting information

Security Considerations

  • The script runs with SYSTEM privileges

  • It includes validation to prevent unauthorized execution

  • Logs are secured with appropriate permissions

  • Error handling prevents script failures from impacting system stability

Troubleshooting

  • Logs are stored in %PUBLIC%\\Logs\\[incident_filename].log

  • The script includes detailed error messages and execution context information

  • Common issues include file access permissions and GVClient CLI availability

Sample log entry

16/03/2025 00:07:48 | ==== remediation started ==== 16/03/2025 00:07:48 | +-- Execution Context: 16/03/2025 00:07:48 | Current User: NT AUTHORITY\SYSTEM 16/03/2025 00:07:48 | Is SYSTEM: True 16/03/2025 00:07:48 | Process Name: powershell 16/03/2025 00:07:48 | Is Administrator: True 16/03/2025 00:07:48 | +----------------------------------------------------- 16/03/2025 00:07:48 | Log file: C:\Users\Public\Logs\4657738593419495328.log 16/03/2025 00:07:48 | CLI path: C:\program files (x86)\gvclient\app-4.7.0\GVClient.CLI.Windows.exe 16/03/2025 00:07:48 | Classification: e16409a7-1700-4153-9090-3955bc2f0ae8/Classification/General Business 16/03/2025 00:07:48 | Incident file: C:\Program Files\Websense\Websense Endpoint\IncidentsInfo\4657738593419495328.xml 16/03/2025 00:07:48 | To classify: c:\dlp\to_be_discovered\002_26405.xlsx 16/03/2025 00:07:48 | ======== calling cli ======== Got startup args: -f, c:\dlp\to_be_discovered\002_26405.xlsx, -o, -m, -t, e16409a7-1700-4153-9090-3955bc2f0ae8/Classification/General Business Initializing application... Processing 1 files for classification. 1 files successfully classified. 16/03/2025 00:07:53 | ==== returning from cli ===== 16/03/2025 00:07:53 | Remediation completed successfully 16/03/2025 00:07:53 | ====== remediation done =========

Version Information

  • Version: 2.6

  • Last Updated: 2025-03-15

Download

 

Classified as Getvisibility - Partner/Customer Confidential