Disable Tracking of Support Files Signed by Microsoft
book
Article ID: 286735
calendar_today
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Disable tracking information about files signed by either the "Microsoft Windows" or "Microsoft Corporation" publishers.
Environment
App Control Server: All Supported Versions
App Control Agent: All Supported Versions
Microsoft Windows: All Supported Versions
Resolution
Log in to the Console and navigate to Settings > System Configuration > Advanced Options > Edit.
In Full OS Inventory Tracking > choose relevant Discard option.
Click the Update button, then Yes to confirm
Additional Information
Discarding at the Server:
Information about Locally Approved instances of these files is sent to the Server and included in the File Catalog.
During the Daily Prune Task this File Information is removed accordingly.
These files will not appear in Files on Computers, and will only appear in the File Catalog if an execution or other tracked action occurs.
Events related to these new files, while potentially reduced, are still sent to the Server.
Discarding at the Agent:
Information about Locally Approved instances of these files will not be sent to the Server and is instead discarded by the Agent.
Unless these File Instances were discovered before this option was configured, or part of a tracked event, they will not appear in the File Catalog.
Events associated with these files are further suppressed and not sent to the Server.
File Instances Affected:
The Publisher must be "Microsoft Windows" or "Microsoft Corporation". This includes directly signed files, and those signed with a detatched publisher.
Files signed by other Microsoft publishers, even if legitimate, continue to be tracked.
The file must be a support file (such as a .DLL) that is usually considered interesting, and therefore tracked by the Agent.
Tracking of EXE files, or the Events related to them, is not affected by this option.
The file must be Locally Approved either directly, or due to some other Approval Method.
After Disabling Tracking:
All affected files are deleted from the file inventory on the Files on Computers page. This deletion will happen in the background, while the Server is not busy, and could take several days to complete. An Event will report how many files were deleted from the inventory.
New, approved instances of these files and changes to them will not be inventoried or tracked.
Re-enabling Tracking:
There will not be an automatic re-inventory of Microsoft-signed files by the Agent.
New instances, or activity related to relevant files, will be tracked.
To collect an inventory of all pre-existing Microsoft Support Files the Agent will need to be instructed to Resynchronize all File Information. This is done via the Assets > Computers page by using the Action menu.