App Control: Why Is 'Date Created' and 'First Seen Date' Different for Same File on Same Machine?
search cancel

App Control: Why Is 'Date Created' and 'First Seen Date' Different for Same File on Same Machine?

book

Article ID: 291369

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Why Is 'Date Created' and 'First Seen Date' different for same file on same machine?

Environment

  • App Control Console: All Versions
  • App Control Agent: All Versions

Resolution

The 'First Seen Date' would be the time the file was first executed/analyzed, which may differ from when the file was first written to the machine, or 'Date Created' time.

Additional Information

  • When the 'Date Created' and 'First Seen Date' are different for the same file on the same machine, this indicates the Agent missed the initial write of the file, for example the Agent may not have been started, or there may have been a 'KernelFileOpExclusions' parameter in place that ignored the initial writing of the file, which would be the 'Date Created' time.
  • Pg 241 - File Instance Details and Files on Computers screen -  Date Created: Exact time this (file) instance was created in its current location.
  • Pg 234 - File Details and File Catalog Page Fields - First Seen Date: Time the first file with this hash was seen on a network computer.
Powered by Wolken Software