logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

App Control: How To Disable Tracking of Support Files Signed by Microsoft

App Control: How To Disable Tracking of Support Files Signed by Microsoft

Environment

  • App Control Server: All Supported Versions
  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions

Objective

To disable tracking information about files signed by either the "Microsoft Windows" or "Microsoft Corporation" publishers.

Resolution

  1. Login to the Console and navigate to the gear icon > System Configuration > Advanced Options > Edit.
  2. To disable tracking of Microsoft-signed support file instances, choose the radio button for one of the following options in the Full OS Inventory Tracking section:
    • Discard information about locally approved support files signed by "Microsoft Windows" or "Microsoft Corporation" publishers at server
    • Discard information about locally approved support files signed by "Microsoft Windows" or "Microsoft Corporation" publishers at agent
  3. Click the Update button, then Yes to confirm

Additional Notes

Discarding at the Server:
  • Information about Locally Approved instances of these files is sent to the Server and included in the File Catalog.
  • During the Daily Prune Task this File Information is removed accordingly.
  • These files will not appear in Files on Computers, and will only appear in the File Catalog if an execution or other tracked action occurs.
  • Events related to these new files, while potentially reduced, are still sent to the Server.
Discarding at the Agent:
  • Information about Locally Approved instances of these files will not be sent to the Server and is instead discarded by the Agent.
  • Unless these File Instances were discovered before this option was configured, or part of a tracked event, they will not appear in the File Catalog.
  • Events associated with these files are further suppressed and not sent to the Server.
File Instances Affected:
  • The Publisher must be "Microsoft Windows" or "Microsoft Corporation". This includes directly signed files, and those signed with a detatched publisher.
  • Files signed by other Microsoft publishers, even if legitimate, continue to be tracked.
  • The file must be a support file (such as a .DLL) that is usually considered interesting, and therefore tracked by the Agent.
  • Tracking of EXE files, or the Events related to them, is not affected by this option.
  • The file must be Locally Approved either directly, or due to some other Approval Method.
After Disabling Tracking:
  • All affected files are deleted from the file inventory on the Files on Computers page. This deletion will happen in the background, while the Server is not busy, and could take several days to complete. An Event will report how many files were deleted from the inventory.
  • New, approved instances of these files and changes to them will not be inventoried or tracked. 
Re-enabling Tracking:
  • There will not be an automatic re-inventory of Microsoft-signed files by the Agent.
  • New instances, or activity related to relevant files, will be tracked.
  • To collect an inventory of all pre-existing Microsoft Support Files the Agent will need to be instructed to Resynchronize all File Information. This is done via the Assets > Computers page by using the Action menu.

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎09-09-2020
Views:
1216
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.