Due to varied circumstances, the incidents directory on a Windows Data Loss Prevention (DLP) Enforce server may become filled with queued incidents modified with the .bad extension. This extension signifies a failure of Data Loss Prevention to process the incidents (for any number of reasons). Through troubleshooting, it may become advantageous to reattempt the processing of the '.bad' incidents. To fully realize this goal, an administrator may need to change a large quantity of incidents back to '.idc'.
The attached script (resetIDC.bat) will allow for a large scale change of '.bad' extensions to '.idc'. To implement the script, follow these instructions:
The script may take some time to run. If too many incidents are added back into the environment, restarting IncidentPersister may be necessary to process batches of the reattempting incidents. If incidents are still actively being changed to '.bad', address whatever outstanding issue still exists in the environment before reattempting a bulk extension change.