Managing Zero Prevalence Pruning
search cancel

Managing Zero Prevalence Pruning

book

Article ID: 286485

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

How to enable Pruning files that have 0 Prevalence from the database/File Catalog.
These are files that were previously seen at least once, but currently meet the following conditions:
  • No copies of the file currently exist in the environment.
  • There are no Approvals or Bans created for the file.
  • The file is not part of any File Instance Groups or File Groups.
  • The file is not part of any Snapshots.
By default these files are not removed from the database/File Catalog and the information is retained indefinitely.

Environment

  • App Control Server: All Supported Versions

Resolution

Finding Total Files Eligible for Prevalence Pruning:

The attached script (ZeroPrevalencePruneScope.sql) can be used to determine the number of files that meet Zero Prevalence in the environment.

  1. Run SQL Server Management Studio as the Carbon Black Service Account.
  2. Paste the contents of the SQL Script into a new query.
  3. Edit line 15 accordingly, example:
    SET @maxAgeDays = 90;
  4. Note the result for Total Files Eligible for Pruning. This will be the total files that meet the criteria above.
  5. If the Scope is ran again on the next day (to track progress), increment @maxAgeDays accordingly, example:
    SET @maxAgeDays = 91;

Configuring Zero Prevalence Pruning:

  1. Decide how many days to keep a file after it no longer exists.
  2. Confirm there is a known-good, full backup of the App Control database.
  3. Log in to the Console & navigate to https://YourServer/shepherd_config.php
  4. In the drop down, find the Property: PurgeAntibodiesPeriodDays
  5. Set Property Value to the amount of days determined in Step 1 (example: 90).
  6. The DailyPruneTask will execute at night and will prune files that meet all conditions for Zero Prevalence within the PurgeAntibodiesPeriodDays specified.

Additional Information

  • Note: Before implementing this, it's recommended to discuss with a dedicated security team and consider the loss of the file hash information and related events.
  • If the DailyPruneTask is unable to complete all Zero Prevalence tasks during the allotted time (6 hours by default), it will automatically pause and resume the following night.
  • The Shepherd Config Property, PurgeAntibodiesThresholdMin can be used to limit the time spent on Zero Prevalence Pruning. This may be necessary in larger environments to allow pruning tasks associated with DailyPruneTasks to execute.

Attachments

ZeroPrevalencePruneScope.sql get_app