search cancel

Endpoint Detection and Response Copy to File Store error CLIENT_FILE_PATH_NOT_FOUND

book

Article ID: 176012

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

You tried to use the Copy to File Store function with a file that was found as the result of an EOC search. The file is a not an executable file (non-PE) and was found on a computer with Folder Redirection with Offline Files configured.

For example, if the My Documents folder was redirected to \\server.domain\Users$\user1\Documents the EOC search result would be: C:\Windows\CSC\v2.0.6\namespace\server.domain\Users$\user1\Documents\document.pdf

When you look at the result of this Copy to File Store action, the status_detail shows: CLIENT_FILE_PATH_NOT_FOUND

Resolution

This is working as designed.
The get-file on non-PE files fail because the user in question does not have the permission on the offline folder.
With the default permissions when Redirection with Offline Files is configured, only the SYSTEM user has access to that particular folder. (C:\windows\csc\v2.0.6\namespaces…). EDR is not getting the non-PE file using SYSTEM account as the feature strictly impersonates the user account supplied.

For executable files (PE files) on the other hand, the Copy to File Store function will be successful. PE files are less sensitive by nature, and the feature allows for more flexibility.