File Approval Events Logged Despite Full OS Inventory Tracking Set To Discard

search cancel

book

calendar_today

Carbon Black App Control (formerly Cb Protection)

Full OS Inventory Tracking setting is configured to discard information at the Server or Agent (Option 2 or 3).
Agents are still sending Local File Approval Events for newly written/discovered supporting files (e.g. DLLs).
Supporting files are properly signed by Microsoft Windows or Microsoft Corporation and fully validated.

This issue is caused by two different defects:

Previously: Publisher matching did not properly associate these files with Microsoft Corporation or Microsoft Windows (fixed in Agent 8.9.2 with EP-18819).
Currently: FileType is not correctly set on dll file (TBD, tracked under CBEP-20515/CRE-17903).

Add a temporary ABExclusion Rule to suppress all Approved files signed by Microsoft Corporation or Microsoft Windows:

Verify the Agent(s) in question are on version 8.9.2 or higher.
Log in to the Console and navigate to: https://ServerAddress/shepherd_config.php
Select the Property: ABExclusionRules
- If a Value exists, add the following to the end:
```
|;;;;;Microsoft Corporation,Microsoft Windows;;;;E0;7
```
- If a Value doesn't exist, enter the following:
```
;;;;;Microsoft Corporation,Microsoft Windows;;;;E0;7
```
Click the Change button.

This ABExclusion will honor most aspects of the Discard Tracking of Support Files at Agent:

The file must be properly signed by Microsoft Corporation or Microsoft Windows:
- This includes directly signed files, and those signed with a detached publisher.
- Files signed by other Microsoft publishers, even if legitimate, continue to be tracked.
The file must be Locally Approved either directly, or due to some other Approval Method, and not banned.
All file types (dll, sys, exe, etc) will now be suppressed.
- The normal behavior of the setting only suppresses "support files" (dll).

thumb_up Yes

thumb_down No