Topics Map > Information Security > Tools and Software > Identity Finder

Spirion (Identity Finder) - Administrator FAQ

Identity Finder FAQ Spirion




How do I go about getting set up with Identity Finder?

Please reach out to us at if you’d like to get set up on the Identity Finder Console and obtain Identity Finder installers for your IT group.

What are my options if I find what appears to be Sensitive Data in a search?

Your first step should be to verify whether the sensitive data is legitimate. Examine the filepath for the match. If the filepath for the file with the match is in the System or Appdata folder, it is likely a false positive. However, if the filepath seems to lead to a legitimate file containing Sensitive Data, it is best to coordinate with the end user to determine whether the file is real, and to take next steps going forward. Some of these steps might include deleting the data or moving it to a secure encrypted drive.

Can I schedule recurring scans? Can I set scans to search for different data types depending on the endpoints being scanned?

You can schedule scans to run on a one time, daily, weekly, or monthly basis. Results from these scans will come in to the console as they complete. You can create policies to apply to specific endpoints or endpoint tags – which allows you to change the types of data scans on those machines search for. This can be useful if you have a subset of machines on your environment that are more likely to handle restricted data – you can set the scans to search for additional data types that you wouldn’t necessarily want to search for across your entire environment.

This match is a false positive, what can I do?

If you believe a match to be a false positive you can select to ignore it (either within the Endpoint Application or from within the Console). If you wish to prevent this match from occurring on other machines you could add the filepath to the list of excluded search locations in your search policy as defined in the console.

Why is the Console not updating the "Action" taken on a result?

There are a number of different scenarios that can cause the "Action" field of a result to not be updated correctly by the Console. Common causes are listed below:

  • A Console initiated scan ran and uploaded results to the Console. The files containing matches were deleted from within the operating system (for example, by sending them to the Trash/Recycle Bin and then emptying the Trash/Recycle Bin). A subsequent scan was launched interactively through the client to verify that the files were completely removed.
    • This happens because of the way Identity Finder handles saving search results. Search results only persist through the context in which the search was initiated. These contexts are:
      • System account
      • Local Logged on User account
      If you would like to use the workflow described above, your Console initiated searches must be run as either "Locally Logged on User (Interactive)" or "Locally Logged on User (Background)" because client initiated scans are run as the local logged on user. NOTE: When using the aforementioned workflow, past search results will not be displayed in the client. Your results from the client initiated search will be compared against the previous results but this will only be visible from the Console.
  • A scan was run and results were uploaded to the Console. The files containing matches were handled and a subsequent scan was run as the same context (System account or Local Logged on User account) as the first scan. The "Action" for these files was not updated from the first scan.
    • When  two searches are run under the same context, actions should be updated automatically by Identity Finder. This update happens immediately after the user opens the Identity Finder client or the next time a Console initiated scan is run. Because network communication is sometimes unreliable, if the Console is unreachable by the client when attempting this update, the update will fail and new results will be uploaded to the Console. There is unfortunately no simple solution to this problem but you can verify this happened by performing a "Gather Data" of the offending endpoint and viewing the client logs. This process is outlined below:
      1. Locate the endpoint in the Endpoint List of the Console, right-click its name and choose "Diagnostics > Gather Data".
      2. Choose the appropriate user context from the "Gather Data" window. NOTE: This context must match the context used to run the searches.
      3. The "Gather Data" will be performed, but this action is not immediate. You can view the status of the "Gather Data" by selecting the endpoint from the Endpoint List, navigating to the "Status" tab, selecting the endpoint from the main view of the Status tab and selecting the "Tasks" tab of the status details view. If you do not see a "Gather Data" task listed here you may need to request another "Gather Data".
      4. When the "Gather Data" task has completed, the data gathered will be listed in the "Uploads" tab of the status detail view. NOTE: You may need to refresh the "Status" tab for this to be visible, and this can be done by clicking the "Refresh" button in the Ribbon.
      5. Right-click on the data entry in the "Uploads" tab and choose to either "Save" or "Save and Delete" the file.
      6. Extract the saved file and navigate to the "LogFiles" directory of the resulting folder.
      7. Your endpoint's log files will be named in the form "IDF_YYYY-MM-DD_HH-MM-SS". Find and open the log file that most closely matches the time of your second scan.
      8. If Console communication did fail, you should see lines similar to these:
        [2014-09-16 12:38:56] INFO Identity Finder Started (Interactive)
        [2014-09-16 12:38:56] ERROR Communication with the console is enabled,
        but the server specified in the serverUrl setting cannot be contacted
        (The server name could not be resolved):
        All communication with the console will fail. Please check related Knowledge Base (KB)
        articles at for further information.
    • There is a known bug that causes Microsoft Access databases and some compressed file types to not update actions properly. If you believe you are experiencing this problem, you can disable searching for compressed files and Microsoft Access databases. If you would still like to search for those file types, you can add the results to a Global Ignore List and remove the results from the Results tab of the Console. 

Why is my endpoint's "Policies State" not changing?

When viewing the status of an endpoint, you will see one or more of the following listed under "Policies State":

  • Processing - The Console is processing your policies to determine what policies should be applied to the endpoint.
  • Pending Confirmation - The endpoint has confirmed the policies but the Console's "Update Policy States" service job has not run yet. The "Update Policy States" service job completes the confirmation process.
  • Pending Update - The policies have been made available to the endpoint but they have not yet been applied.
  • Up to Date - The policies for the endpoint are up to date.

Your endpoints may appear to be stuck in the "Pending Confirmation" state but this behavior is expected--to an extent. The Console is setup for delayed policy confirmation, and this is to help reduce server load because of the large number of endpoints on campus. The Console will run an "Update Policy States" job every hour, after which your endpoints should confirm their policies. If an endpoint has been "Pending Confirmation" for more than an hour, please contact the Help Desk for assistance. 

Why do I have multiple endpoints with the same name with long strings of characters appended?

By default, Identity Finder will use your endpoint's host name as the display name in the Console. If two endpoints in the same tag have the same host name, Identity Finder will append an "_" (underscore) character and GUID (globally unique identifier) to the endpoint that reported to the Console second. This can also happen if a machine has been re-imaged and is given the same host name as the previous installation, or if you connect to the network via a different interface (for example, over a wired vs. wireless connection). It is possible to merge two or more endpoints back into a single endpoint by:

  1. Select all endpoints to merge by clicking each endpoint name while holding the Ctrl (control) key
  2. Right click on a selected endpoint name and choose "Endpoint > Merge"
  3. Select the desired endpoint to merge to from the drop-down menu in the resultant window

How do I exclude X from my searches?

How you exclude something from a search depends on what it is you're trying to exclude.

  • Exclude a directory
    • Click on your policy from the Policy List. After your policy expands in the Policy List, expand "Search Locations" and click on "Custom Folders". Once the "Custom Folders" view has opened, you can click on "Add" in the Ribbon to add a new folder to the list. After adding your folder location, two options will be available in the "Scope" drop down: "Exclude from Search" (the default) and "Include from Search". NOTE: Regular expressions are not allowed in "Custom Folders". Operating system environment variables (e.g., %USERPROFILE% on Windows or $HOME on OS X) are allowed and an "*" (asterisk) may be used as a wildcard. Wildcards can not start or end an entry. For example, one could exclude Time Machine backups by using:
      This example, which attempts to exclude the contents of a log_files directory on all Windows drive letters, is invalid and will not work:
  • Exclude a file
    • Files are excluded by adding them to a Locations or File Hashes Global Ignore List. Files added to a Locations Global Ignore List will be ignored strictly by their file name, whereas File Hashes Global Ignore Lists will only ignore locations as long as their hash matches what has been entered into the Console. Because File Hashes Global Ignore Lists require you to select the specific file to ignore on a particular machine, you are required to have physical access to the machine containing the file. It is generally easier to use Locations lists to exclude files and you can exclude files that may exist across multiple machines. For example, one could exclude an Adobe sample file, which many computers will have, by using:
      C:\Program Files (x86)\Adobe\Acrobat 10.0\Designer 9.0\EN\Samples\Forms\E-Ticket\Outputs\E-Ticket.pdf
      File Hash excludes can be useful for excluding files across multiple machines as well, but in a more limited scope (for example, a Windows system file that will have the same hash across all installations).

I have disabled unformatted SSN search in my policy. Why do I still get unformatted SSN matches?

It is possible to mostly disable searching for unformatted SSNs in your policy by setting the policy setting Settings\Identities\SSN\AnyFind\USSN\SearchOption to "Never". Despite what it suggests, the "Never" setting will still search for unformatted SSNs, but it will only report matches when certain "reasonable" criteria are met--for example, if the string passes SSN validity checks or is near SSN keywords like "SSN: ". To disable unformatted SSNs entirely, the official recommendation is to add the following regular expression to your System policy's Global Ignore List:


This regular expression says, "match nine consecutive digits (\d{9}) but only if they start at the beginning of the full string (^) and end at the end of the full string ($)".

Why am I not seeing the most recent date and time that a match was found?

By default, the date and time that a match was first found will be displayed in the "Date/Time" column of the Results tab. Even if the same result is found in a later scan, the date and time that it was first found will be displayed in that column. This can be changed and the Console can be made to show the date and time of the last scan that found the result. To change this, navigate to the "Admin" tab of the Console, click on the "Personal Settings" menu item, and uncheck the check box that says "Display the timestamp of the first time the identity match was found".

Will DoIT Cybersecurity staff be able to see any sensitive information or restricted data found on my endpoints?

DoIT Cybersecurity can see the same items that you can see in the console. For this reason, and others, we do not recommend configuring your policies to send full matches to the console (there is an option to send partial matches and one to send no match, just the match file location).


What does the Spirion client do, exactly?

Spirion’s endpoint application scans the endpoint for potential restricted or sensitive data, collates the results, and sends the results to the console (and potentially the endpoint user) in an encrypted format. It is possible to take actions through the application such as shredding files, ignoring false positives, or quarantining files.

How long will an Identity Finder Scan take?

Scan time will change depending on the scan configuration (locations scanned, file types scanned, match types scanned for), the computer hard drive, and processing power. Scans can take from 1 minute to several hours depending on the above variables. Typically, scans take less than an hour if configured appropriately (not scanning system files and Appdata).

What Operating Systems are compatible with Spirion?

  • Windows
    • Windows Vista
    • Windows 7
    • Windows 8, 8.1
    • Windows 10
    • Windows Server 2008, 2012, 2016, 2019
  • Mac
    • OSX 10.9 - OSX 10.14

Will the endpoint agent consume a lot of resources on users' endpoints?

Generally, the endpoint client consumes minimal resources, but resource intensity can increase greatly when a scan is running. This is particularly noticeable on older, less powerful machines – on new machines there is generally little to no performance impact during scans. Regardless, there are settings you can configure within policies to limit the resource intensity of the client when running scans.

Why can end-users enable and disable Identity types when my System policy only has one/some enabled?

End-users can be prevented from modifying the Identity types searched for by a System policy one of two ways:

  1. Specifically enabling the Identity type
  2. Specifically disabling the Identity type
Identity types that are specifically enabled or disabled will appear in the Policy Wizard with a green check mark or red "X" through the check box. In your policy's Settings, these keys will be listed in Settings\Identities and will be displayed in green text, indicating that their values have been changed from the default. If the value for an "EnableAnyFind" key is set to "Disable" and the "Status" for this key is listed as "Default", your users can enable or disable this Identity type from the client.

If I stop a scan before it finishes, will the matches it found be uploaded to the Console?

In general, yes, any matches found before the scan was stopped will be uploaded to the Console once the client is closed. However, if the client is unable to communicate with the server, results will not be sent to the Console. If you believe your results should have been uploaded but were not, you can check the status of client/server communication by following the steps listed here.

Why does my scan keep searching a location after it has found the maximum number of matches?

The setting Settings\Performance\RestrictResults\StopSearchAtMaximumMatches can be used to prevent Identity Finder from continuing to search a location after a set number of matches has been found (the default being 99). However, this setting will be ignored by Windows clients if your policy is set to use all available CPUs (or cores). The setting Settings\Performance\UseMultipleCores can be changed from the default value of "1" ("use all cores") to "0" ("use one core") to make use of the StopSearchAtMaximumResults setting. Whether you will see better performance by using fewer CPU cores and stopping the search of a location after reaching the maximum is highly dependent on the the types and sizes of the files being searched, but nevertheless, the option is available to you. Mac clients will always respect the StopSearchAtMaximumMatches setting because the actual scanning is done on a single thread, unlike the Windows clients that can balance the load over multiple threads.

Keywords:"identity finder" identity finder faq console   Doc ID:43638
Owner:Oakes D.Group:Office of Cybersecurity
Created:2014-09-19 11:29 CDTUpdated:2019-05-23 11:53 CDT
Sites:DoIT Help Desk, Office of Cybersecurity
Feedback:  5   2