This article describes a process you could use to Shred or Quarantine all the files in a specific folder. You could use this process and have a folder on the machines that the end users would move a file to and then when it is searched via Scheduled Task it would find a match for each file and automatically shred it. This process should be tested before implementation to ensure that unintended folders are not being searched that could result in shredding files that are not in scope.
- Searching for files with a modify date older than a specific date
- Automatically Shredding files that contain a match
- Automatically Quarantining files that contain a match
A search task can be configured to just search the folder path you want and just search for a regex that will match any file name. The default setting to search file content can be modified to search only within filenames, then automatically Shred the file on completion or allow the results to be uploaded to the Console for review and scheduled remediation.
- Create a Scheduled Task Policy that has the following settings configured in it:
To only search for a specific file name you would configure the following settings:
Settings\Locations\Files\FileAnalysisType set to only search for the file names
Settings\Identities\Custom\EnableOnlyFind set to be Enabled
Settings\Locations\Files\EnableFiles set to True
Settings\Locations\Files\FileTypeSearchOption set to All file types
- The Regex should be added to the Console's>Admin>Sensitive Data Types screen and be added to the Policy on the left side of the Policy screen on the Sensitive Data Types screen.
Following is a regex that will find a match for any character or digit:
To only search a specific folder path you would set the Search Locations to be Custom (Settings\Locations\Files\FileLocations) and add the folder as an Included folder in the Custom Folders:http://www.identityfinder.com/Help/EnterpriseConsole/index.htm#3392.htm
Ensure that you do not have any Included Custom Folders in any System Policy applied to the endpoint as that will cause that folder to be searched also.
Searching for files with a modify date older than a specific date
You can configure it to only search for files that have been not modified since a specific date and not created by a specific date by configuring the following settings:
Use an - older than - date restriction for the file search.
To enable the use of an older than date restriction for the file search, set this value to "Enable" (1). When enabled, only files that were created or modified before the specified date restriction will be searched.
Settings\Performance\ModifiedDate\FileRestrictionOlderThanDateDay The day of the month for the older than file restriction. Specify the day of the month (1-31) for the older than file restriction.
Settings\Performance\ModifiedDate\FileRestrictionOlderThanDateMonth The month for the older than file restriction. Specify the month of the year (1-12) for the older than file restriction.
Settings\Performance\ModifiedDate\FileRestrictionOlderThanDateYear The year for the older than file restriction. Specify the year for the older than file restriction.
The following screenshot shows the settings needed to be configured for a search that searches file names only for a regex that will match any character in a file name in a single folder that is specified in the Custom Folders.
Add the folder you wish to search
Automatically Shredding files that contain a match
If you wish to automatically Shred the file then you would configure the following setting as True in your Scheduled Task Policy after testing:
Create a Scheduled Task in the Scheduled Task Policy created above that searches that folder on a regular basis.
The end user can shred from within the Client so if you run a search task as the Local Logged on User Interactive, then the end user can simply select to shred the file from within the Client.
However as we mentioned above you could select to Shred locations from the Results screen from within the Client or on the Console. When testing this process we do not recommend automatically Shredding the results until you are confident you have the configuration configured to give you only the exact results you want.
When editing any setting the Explain tab has the help for the setting.
Automatically Quarantining files that contain a match
If you wish to automatically Quarantine the files that a match is found in then you would configure the following setting as True in your Scheduled Task Policy after testing:
The following linked article explains how to configure Quarantining:
Please test the configuration before automatically Shredding files found with matches
Any System Policy applied to the endpoint can add search locations or identity types and cause unexpected matches found
Again; This process should be configured in a Scheduled Task Policy and then the search run as a Scheduled Task from that same Policy. The following linked article explains the different types of Policies: