search cancel

Changing all .bad incidents to .idc on a Windows operating system

book

Article ID: 163644

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Due to varied circumstances, the incidents directory on a Windows Data Loss Prevention (DLP) Enforce server may become filled with queued incidents modified with the .bad extension.  This extension signifies a failure of Data Loss Prevention to process the incidents (for any number of reasons).  Through troubleshooting, it may become advantageous to reattempt the processing of the '.bad' incidents.  To fully realize this goal, an administrator may need to change a large quantity of '.bad' incidents back to '.idc'.

Resolution

The attached script (resetIDC.bat) will restore the filename back to its original '.idc' extension.

This script can be run from anywhere, it will simply prompt you for the full filepath for your incident directory.

The script may take some time to run.  If too many incidents are added back into the environment, restarting IncidentPersister may be necessary to process batches of the reattempting incidents.  If incidents are still actively being changed to '.bad', address whatever outstanding issue still exists in the environment before reattempting a bulk extension change.

Additional Information

Updated Script:
Please note that this script has been updated and will now truncate the filenames back to their original filenames instead of simply renaming the .bad extension. This will allow you to run the script multiple times without having to worry about the filename length reaching the maximum value for the Operating System.

Attachments

1654195349420__resetIDC.bat get_app