Managing Zero Prevalence Pruning
Article ID: 286485
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Prune files that have Zero Prevalence from the database/File Catalog. These are files that were previously seen at least once, but currently meet the following conditions:
- No copies of the file currently exist in the environment.
- There are no Approvals or Bans created for the file.
- The file is not part of any File Instance Groups or File Groups.
- The file is not part of any Snapshots.
Environment
- App Control Server: All Supported Versions
Resolution
- Decide how many days to keep a file after it no longer exists.
- Confirm there is a known-good, full backup of the App Control database.
- Login to the Console & navigate to https://YourServer/shepherd_config.php
- In the drop down, find the Property: PurgeAntibodiesPeriodDays
- Set Property Value to the amount of days determined in Step 1 (example: 90).
- The DailyPruneTask will execute at night and will prune files that meet all conditions for Zero Prevalence within the PurgeAntibodiesPeriodDays specified.
Additional Information
- Warning: Before implementing this, it's recommended to discuss with a dedicated security team and consider the loss of the file hash information and related events.
- If the DailyPruneTask is unable to complete all Zero Prevalence tasks during the allotted time (6 hours by default), it will automatically pause and resume the following night.
- The Shepherd Config Property, PurgeAntibodiesThresholdMin can be used to limit the time spent on Zero Prevalence Pruning. This may be necessary in larger environments to allow pruning tasks associated with DailyPruneTasks to execute.
- The attached AntibodyPruneScopeV2.sql can be used to determine the number of files that meet Zero Prevalence in the environment by editing line 17 accordingly: SET @maxAgeDays = 90
Attachments
Feedback
Yes
No
Powered by
