The ExDeletedFileInstances view provides access to the metadata for each deleted file instance on each computer at your site.
The Carbon Black App Control Server keeps track of only last deleted instance of each unique file name on each computer. This means that, if same file was created and deleted multiple times, only the last deleted instance is listed.
| Field Name |
Data Type |
Special Values |
Comments |
|---|---|---|---|
|
|
bigint |
|
Primary Key |
|
|
int |
|
Foreign key into ExFileInstanceGroups table for group that contains this file |
|
|
int |
|
Foreign key into ExFileCatalog table for details about this file |
|
|
int |
|
Foreign key into ExComputers table for computer that has this file |
|
|
datetime |
|
Date and time (UTC) when the file was created |
|
|
datetime |
|
Date and time (UTC) when file was deleted |
|
|
nvarchar |
|
Name of this file |
|
|
nvarchar |
|
Path of the file. Uses the OS-specific delimiter for the agent that had the file |
|
|
nvarchar |
|
Name of the detached publisher. Embedded publishers can be retrieved through a join with ExFileCatalog. |
|
|
nvarchar |
Approved, Approved by Policy, Unapproved, Banned, Banned by Policy |
State of the detached publisher (if available); “none” for unsigned files |
|
|
nvarchar |
Manual, Reputation, Imported, External (API), Unknown |
Reason for the state of this file’s publisher |
|
|
char |
|
Carbon Black App Control-proprietary hash of the detached certificate. Embedded certificates can be retrieved through a join with ExFileCatalog |
|
|
nvarchar |
Unapproved, Approved, Banned, Approved by Policy, Banned by Policy |
Global state of the detached certificate. Invalid certificates are Unapproved in this field. Unsigned certificates are null. |
|
|
nvarchar |
Manual, Imported, External (API), Unknown |
Reason for the state of the file’s detached certificate (same as Publisher State reason) |
