Viewing a device's at-risk file content

NOTE  Depending on the permissions associated with your user role, and the Absolute product licenses associated with your account, the Endpoint Data Discovery page may not be available.

You can view information about the at-risk files detected on a device during an Endpoint Data Discovery (EDD) scan The Absolute agent process that opens and analyzes files on a device's hard drive to identify at-risk content, as defined in an Endpoint Data Discovery policy. See also DAR component. on the following tabs in Device Details:

  • EDD Summary: shows the at-risk files that contain matches detected during the most recent scan of the device's hard drive. The information is organized into sections by policy rule.

  • EDD History: shows the at-risk files that contain matches detected during the last two full scans and all subsequent delta scans. The information is organized into columns that you can filter and sort.

The Endpoint Data Discovery page applies only to Windows and Mac devices with an active Endpoint Data Discovery policy.

To view at-risk file content:

  1. On any page that shows linked device identifiers in the first column of the results grid, such as the Assets > Devices page, click the link for the device that you want to view. Overview information about the device shows in the page header.
  2. Click EDD Summary under the Summary area. The page opens to show two subtabs: EDD Summary and EDD History.

On the EDD Summary page, you can view a summary of the matches detected on a device during the last EDD scan The Absolute agent process that opens and analyzes files on a device's hard drive to identify at-risk content, as defined in an Endpoint Data Discovery policy. See also DAR component..

The information on the EDD Summary page is organized into sections by policy rule, accompanied by a match score A computed value indicating the number of content matches detected on a device during an Endpoint Data Discovery (EDD) scan. Depending on the context, the value shown for Match Score may apply to a file, a policy rule, or a device.. Expand each section to view information about the files where confidential or at-risk data was detected. For those files that require further investigation, you can view more detailed EDD information, which allows you to evaluate each match individually to identify false positive A result on an EDD-related report or page in which a match is detected in a file, but upon further investigation, you do not consider the matched content to be at-risk data.s and determine a device's level of risk

After you activate an EDD policy on a device, it may take several days before data is available on the EDD Summary page. The data includes information collected during the last full EDD scan of the device and all subsequent delta scans. EDD scans can take between a few hours and a few days to complete. If a scan is in progress when you view this page, data from that scan is not included.

To see the results of the last EDD scan:

  1. Open the EDD Summary tab.

    The following information shows near the top of the page:

    • Last scan date: the date when the most recent EDD scan was completed on the device
    • Total match score: the total matches detected on the device for all applicable policy rules. A higher value may indicate that an unacceptable amount of confidential or at-risk data is stored on the device.

    2. IMPORTANT  If a warning banner shows near the top of the page, the most recent EDD scan on the device was stopped due to an excessive number of detected matches. Excessive matches may occur if the EDD policy assigned to the device includes one or more customized EDD rules and the rules' expressions are detecting more content than expected. Alternatively, a large number of at-risk files may reside on the device. To find the root cause, we recommend that you review the EDD policy configuration and investigate the matches detected on the device.

    The information on this page is organized into sections. Some sections may not contain any results, depending on the policy rules set in the Endpoint Data Discovery policy:

    NOTE  Information is collected according to the EDD policy associated with the device on the last scan date. If the device is subsequently moved to another policy group, and different EDD policy rules now apply, those rules are not reflected in the information on the EDD Summary page until after the next scan.

    The Match Score for each policy rule shows in the applicable section header.

  2. To expand a section, click its title. To collapse the section, click the title again. The information in each section is organized in the following columns and is sorted in descending order by Match Score:

    Column

    Description

    Match Score

    Computed value indicating the number of matches detected in the file for the associated policy rule

    The calculation of Match Score varies depending on rule type and content type.

    File Name

    File name of the file

    To view details about all detected matches in the file, click the linked file name.

    You can't view additional details about Unscannable files.

    Scan Date

    Date when the file was scanned on the device

    File Name Full Path

    The full file path of the file on the device

    File Owner

    Name of the user who controls permissions on the file

    By default, the file owner is the user who created the file.

  3. The results are sorted by Match Score, in descending order. To sort the results by another column, click the applicable column header. To reverse the sort order, click the column header again. An icon indicates whether the list is sorted in ascending or descending order.

  4. To delete one or more at-risk files from the device, select the check box next to each file you want to delete and submit a File Delete request.
  5. After reviewing a file's matched content, you may find that you want to exclude the file from the device's EDD scan results. For example, you may find that all of the matches in a file are false positives A result on an EDD-related report or page in which a match is detected in a file, but upon further investigation, you do not consider the matched content to be at-risk data., or the file content is permitted to reside on a particular device. To exclude one or more files from the scan results, change the Reporting Status of each file.

On the EDD History page, you can view a history of the files for which matches were detected during an EDD scan The Absolute agent process that opens and analyzes files on a device's hard drive to identify at-risk content, as defined in an Endpoint Data Discovery policy. See also DAR component..

A device's EDD history is limited to the last two full EDD scans of the device's hard drive and all subsequent delta scans. If a scan is in progress on the device when you run the report, any data collected up to that point is available.

NOTE   After an EDD policy is activated on a device, it may take up to two days before data is available on the EDD History page.

To view the results of the last two full EDD scans:

  1. Open the EDD Summary tab and click EDD History.

    2. The page provides information, in grid format, about each file on the device for which one or more content matches are detected. The information is aggregated by Scan Date The date (local device time) when a device was scanned according to an Endpoint Data Discovery policy.. Use the scroll bar to view all columns.

    IMPORTANT  If a warning banner shows near the top of the page, the most recent EDD scan on the device was stopped due to an excessive number of detected matches. Excessive matches may occur if the EDD policy assigned to the device includes one or more customized EDD rules, and the rules' expressions are detecting more content than expected. Alternatively, a large number of at-risk files may reside on the device. To find the root cause, we recommend that you review the EDD policy configuration and investigate the matches detected on the device.

    Information on the Endpoint Data Discovery History page

    Column

    Description

    Match Score

    Computed value indicating the number of matches detected in the file for the associated policy rule

    The calculation of Match Score varies depending on rule type and content type.

    File Name

    File name of the file

    To view details about all detected matches in the file, and the file path on the device, click the file name.

    Rule

    Name of the predefined or customized EDD rule for which a match was detected

    If unscannable shows, the file was not scanned because it was in use at the time of the scan, or it resides in an encrypted file directory.

    File Type

    Internet Media Type Similar to a MIME type, an Internet Media Type is a standard identifier to indicate the type of content contained in a file on the Internet. The format of the identifier is type name/subtype name (for example, application/zip or text/plain). of the file

    File Path

    The full file path of the file on the device

    File Owner

    Name of the user who controls permissions on the file. By default, the file owner is the user who created the file

    File Created

    Local date and time when the file was created

    File Modified

    Local date and time when the file was last edited

    NOTE  Information is collected according to the EDD policy associated with the device on the Scan Date. If the device is subsequently moved to another policy group, and different EDD policy rules now apply, those rules are not reflected in the information on the EDD History page until after the next scan.

  1. The results are sorted by Match Score, in descending order. To sort the results by another column, click the applicable column header. To reverse the sort order, click the column header again. An icon indicates whether the list is sorted in ascending or descending order.