Remedial Actions in ER2

This section provides a quick reference of all remedial actions in Enterprise Recon.

There are two categories of remedial actions:

Category	Description
Act Directly on Selected Location	Actions that directly modify match locations to secure sensitive data. Users are required to have Remediate - Act Directly on Location resource permissions to perform these actions.
Mark Locations for Compliance Report	Remediation options that do not modify or secure the sensitive data. Users must have Remediate - Mark Location for Report resource permissions to flag these sensitive data matches as acknowledged and reviewed.

Act Directly on Selected Location

This section lists available remedial actions that act directly on match locations. Acting directly on selected locations reduces the Target's match count.

Target A has six matches: after encrypting two matches and masking three, the Target A's match count is one.

A match location is fully remediated when:

The match location is quarantined, encrypted, or secure-deleted, or
Sensitive data matches for all data types within the match location are masked.

If subsequent scans result in new matches for a file of the same name in the same location (path), this will be identified as a new match location by ER2.

The match location "File path D:\Data\My-File.txt" is fully remediated after User A masks all sensitive data type matches for the location. If a file that is restored (e.g. a backup version) to "File path D:\Data\My-File.txt" results in matches in subsequent scans, this file is treated as a new match location in ER2.

Exercise caution when performing remedial actions that act directly on a selected location. For example, masking data found in the C:\Windows\System32 folder may corrupt the Windows operating system.

Remedial Actions That Act Directly on Selected Location

Action	Description
Mask all sensitive data	Masking data is destructive. It writes over data in the original file to obscure it. This action is irreversible, and may corrupt remaining data in masked files. Masks all found sensitive data in the match location with a static mask. A portion of the matched strings are permanently written over with the character, "x" to obscure the original. For example, '1234560000001234' is replaced with '123456XXXXXX1234'. File formats that can be masked include: XPS. Microsoft Office 97-2003 (DOC, PPT, XLS). Microsoft Office 2007 and above (DOCX and XLSX). Files embedded in archives (GZIP, TAR, ZIP). Not all files can be masked by ER2; some files such as database data files and PDFs do not allow ER2 to modify their contents.
Quarantine	Moves the files to a secure location you specify and leaves a tombstone text file in its place. The secure location must be specified as an absolute path (e.g. C:\Quarantine-Folder) and will be created automatically if it does not exist. Performing a Quarantine action on "example.xlsx" moves the file to the user-specified secure location and leaves "example.xlsx.txt" in its place. By default, tombstone text files will contain the following text: `Location quarantined at user request during sensitive data remediation.` Quarantine remedial action can only be performed if all selected match locations belong to a single Target. For match locations with very small file sizes, the tombstone message may be truncated to ensure the tombstone file size does not exceed the original file size of the match location. For example, the default tombstone message may be truncated to "Location quarantined at" when Quarantine remedial action is performed on a match location that is 16 bytes in size. To change the message in the tombstone text file, see Customize Tombstone Message.
Delete permanently	Securely deletes the match location (file) and leaves a tombstone text file in its place. Performing a Delete permanently action on "example.xlsx" removes the file and leaves "example.xlsx.txt" in its place. By default, tombstone text files will contain the following text: `Location deleted at user request during sensitive data remediation.` For match locations with very small file sizes, the tombstone message may be truncated to ensure the tombstone file size does not exceed the original file size of the match location. For example, the default tombstone message may be truncated to "Location deleted at" when Delete permanently remedial action is performed on a match location that is 16 bytes in size. To change the message in the tombstone text file, see Customize Tombstone Message. Attempting to perform a Delete permanently action on files already deleted by the user (removed manually, without using the Delete permanently remedial action) will update the match status to "Deleted" but leave no tombstone behind.
Encrypt file	Secures the match location using an AES encrypted zip file. You must provide an encryption password here. Encrypted zip files that ER2 makes on your file systems are owned by root, which means that you need root credentials to open the encrypted zip file.

To remediate using remedial actions that act directly on selected location, see How to Perform Remedial Actions.

Mark Locations for Compliance Report

Flag these items as reviewed but does not modify the data. Hence, the sensitive data found in the match is still not secure.

Remedial Actions That Act Directly on Selected Location

Action	Description
Confirmed	Marks selected match location as "Confirmed". The location has been reviewed and found to contain sensitive data that must be remediated.
Remediated manually	Marks selected match location as "Remediated Manually". The location contains sensitive data which has been remediated using tools outside of ER2 and rendered harmless. Marking selected match locations as Remediated Manually deducts the marked matches from your match count. If marked matches have not been remediated when the next scan occurs, they resurface as matches.
Test Data	Marks selected match location as Test Data. The location contains data that is part of a test suite, and does not pose a security or privacy threat. To ignore such matches in future, you can add a Global Filter when you select Update configuration to classify identical matches in future searches
False match	Marks selected match location as a False Match. The location is a false positive and does not contain sensitive data. You can choose to update the configuration by selecting: Update configuration to classify identical matches in future searches to add a Global Filter to ignore such matches in the future. Update configuration to ignore match locations in future scans on this target to add a Global Filter to ignore this specific location/file when performing subsequent scans.
Remove mark	Unmarks selected location. Unmarking locations is captured in the Remediation Log.

Only remedial actions that are supported across all selected match locations can be selected from the Remediate dropdown menu in the Investigate page. See Remediation Rules for more information.

To perform remedial actions that mark locations, see How to Perform Remedial Actions.

Remediation Rules

While remediation happens at individual file level, remediation action that can be taken is dependent on both the Target platform and file type.

Platform / File Type	Masking	Delete Permanently	Quarantine	Encryption
Unix Share Network File System	✓	✓	✓	✓
FileA.ppt	✓	✓	✓	✓
FileB.pdf	-	✓	✓	✓

The table above describes the supported remediation actions that act directly on location for a Unix Share Network File System (NFS) Target and two file types (File A.ppt and FileB.pdf).

File A.ppt is found as a match during a scan of a Unix Share NFS, therefore the all remediation action that act directly on locations are possible for File A.ppt. FileB.pdf is another match location found on a Unix Share NFS, therefore it can be remediated via deletion, encryption or quarantine.

If both File A.ppt and FileB.pdf are selected for remediation, the possible remedial actions that can be taken are Delete Permanently, Quarantine or Encryption.

To perform remedial actions, see How to Perform Remedial Actions.