CB Response: How to turn off event-collection of Non-Binary file writes
search cancel

CB Response: How to turn off event-collection of Non-Binary file writes

book

Article ID: 289119

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to turn off the event-collection of Non-Binary file writes.

Environment

  • CB Response Server: All Versions

Resolution

  1. Open the WebUI Console > go to the Sensor tab
  2. On the desired Sensor Group click "Edit"
  3. Go to the "Event Collection" tab
  4. Under "Event Collection" uncheck the box next to "Non-Binary File Writes"
  5. Click "Save Group"

Additional Information

  • By disabling the "Non-Binary File Writes" setting, the sensor won't collect or generate reports on the writes for the files types of files.
  • For the most part, Cb Response does not record information regarding non-binary files types. However, file writes of certain non-binary file types are recorded by Cb Response. The following is a list of non-binary files types that are recorded by the Cb Response sensor when written to disk:
    • PE
    • Elf
    • UniversalBin
    • EICAR
    • OfficeLegacy
    • OfficeOpenXml
    • Pdf
    • ArchivePkzip
    • ArchiveLzh
    • ArchiveLzw
    • ArchiveRar
    • ArchiveTar
    • Archive7zip
  • Some endpoints may produce large amounts of one or more of the above files types, and therefore could produce a massive inbound queue of mostly uninteresting files. This could lead to decreased data retention due to these extra noisy sensors, as well as more system resources used to ingest this data on the server. If the large amount of non-binary file writes is determined to be an issue on certain machines, the following can assist to remedy the issue.
Powered by Wolken Software