logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

How to control the volume of events and files created by Marimba-based infrastructures

How to control the volume of events and files created by Marimba-based infrastructures

Version
Applies to Version 6.0.x, 7.0.x

Issue
The Marimba or Marimba-based software and patch distribution system is creating a very large number of temporary files. This large number of files may be detrimental to Bit9 Server performance and the administrator's experience. The high volume of events sent from Bit9 Agents may significantly reduce server performance. The number of items may clutter the "Events" display in the administration console, and make it hard to filter on more interesting traffic. This same cluttering effect may happen with inventory searching and reporting from "Files" and "Files on Computers".

 

Symptoms

The files are written to directories whose names typically include the string ".marimba" and also "ch.5" where "5" may be any integer.  If the files are globally approved, no events may show in the Bit9 administration console.  Only a query against "Deleted File Instances" using Bit9's "Live File Inventory SDK," or an analysis of client-side diagnostics, may clearly show the issue.

 

Cause

The Marimba or Marimba-based agent creates a temporary, unique file container every time a "chunk" of the file's binary stream is delivered to the workstation from the Marimba or Marimba-based servers.  Several operations may occur for large transfers or for transfers that experience some rate of failure.  Only the final product, the fully downloaded file, will be executed and is of interest to the Bit9 agent.

 

Solution

Create a custom rule that ignores these files when they are written, but allows them to execute should that ever happen.

The syntax of the rule should be as follows.

Name: Marimba Performance Optimizations

 

Description:
Ignores writes to "tuner" temporary directories, but still allows execution from those folders.

 

Rule Type:
Advanced

 

Operation:
Execute & Write

 

Execute Action:
Allow

 

Write Action:
Ignore

 

Path or File:
c:\program files\marimba\tuner\.marimba\marimba_client\*

 

Process:
Any Process

 

Important Note(s)
Note that the specified path may differ from what is written above, depending on how your environment is configured, or if Marimba is the engine underlying your vendor's product. For example, in BCAC Products Transmitter deployed in Retail/POS environments, the name of the path might be c:\program files\bcac\tuner\.marimba\storetuner\*

Tags (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
jnaiga
Creation Date:
‎12-21-2015
Views:
383
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.