Environment
- App Control Console: All Supported Versions
- App Control Agent: 8.9.2+
- Microsoft Windows: All Supported Versions
Symptoms
- Full OS Inventory Tracking setting is configured to discard information at the Server or Agent (Option 2 or 3)
- Still receiving Local File Approval Events for newly written/discovered supporting files (e.g. DLLs)
- Supporting files are properly signed by Microsoft Windows or Microsoft Corporation and fully validated
Cause
There is an issue EP-20515 where Microsoft DLL files are not properly classified.
Resolution
- From the Console, navigate to: https://ServerAddress/shepherd_config.php
- Select ABExclusionRules under Defined Properties.
- Adjust value and append the following at the end:
|;;;;;Microsoft Corporation,Microsoft Windows;;;;E0;7
- Click the Change button to save config.
Additional Notes
- Previous issue about the Microsoft publisher not recognized EP-18819 was fixed in Agent version 8.9.2. Upgrade to that version before applying the fix from this KB.
- For OS Inventory Tracking to discard data, a file must fit all of the required criteria (i.e. newly written/discovered, supporting file type, considered interesting, properly signed and validated).
- If any of these are not true about a file, then it would not be expected it to be discarded at either the Agent or Server level and this defect would not apply.
Related Content
