Version

All versions of Carbon Black

Topic

This document covers not only how to turn off the event-collection of Non-Binary file writes, but also explains why this can be extremely beneficial for one's environment.

For the most part, Cb Response does not record information regarding non-binary files types. However, file writes of certain non-binary file types are recorded by Cb Response. The following is a list of non-binary files types that are recorded by the Cb Response sensor when written to disk:

PE

Elf

UniversalBin

EICAR

OfficeLegacy

OfficeOpenXml

Pdf

ArchivePkzip

ArchiveLzh

ArchiveLzw

ArchiveRar

ArchiveTar

Archive7zip

Some endpoints may produce large amounts of one or more of the above files types, and therefore could produce a massive inbound queue of mostly uninteresting files. This could lead to decreased data retention due to these extra noisy sensors, as well as more system resources used to ingest this data on the server. If the large amount of non-binary file writes is determined to be an issue on certain machines, the following can assist to remedy the issue.

Steps

1. The goal here is to create a new sensor group, and place the noisy sensors that are writing a lot of non-binary files to that new sensor group. Then, change the Event Collection setting to not collect non-binary events.
2. Log into the Carbon Black Response Console (the GUI).
3. At the top, hover over "Administration" and a drop down type menu appears. Go to "Sensors" under this Administration drop down.
4. Create a sensor group which contains only the report generating servers. To do this, click the "+Create Group" button.
   1. You should need to fill out some details on the "General" tab such as IP address. These settings can be the same as the settings in the default group.
   2. Then, go to the "Event Collection" tab in this "Create Group" menu.
   3. Under "Event Collection" should be a checkbox with the text "Non-Binary File Writes" next to it. Uncheck this box, and you won't get collection of these generated report writes for the files being generated.

Important Note(s)

You can still turn off the collection of Non-Binary File Writes after a group has been created by going into Administration > Sensors , the selecting the group you want to edit, and then "Edit Settings" > "Event Collection"