Finding Files by Name

Although searching by hash is a better way to be certain you find all instances of a file, searching by name is the easiest type of search to create from scratch.

File Name searches allow you to use different operators to expand or narrow the matches you get from the search, as shown in the following table.

Table 1. Operators for the File Name Filter
Field	Description
`contains`	Any file whose name contains the text in the text box. This operator can cause time-consuming and inefficient searches; use an alternative, if possible.
`does not contain`	Any file whose name does not contain the text in the text box. This operator can cause time-consuming and inefficient searches; use an alternative, if possible.
`begins with`	Any file whose name begins with the text in the text box.
`ends with`	Any file whose name ends with the text in the text box.
`is`	Only files that exactly match the text you enter. When you choose `is`, be sure to include the full file name, including extension, in the File Name text box.
`is not`	Any file whose name does not exactly match the text that you enter. If you enter `calc` as the File Name, for example, the results from `is not` includes calc.exe, mycalc, and so on.
`is empty`	Any file whose name is missing or blank.
is not empty	Any file whose name is not missing or blank.

By default, the Find Files page opens with the File Name filter and the operator is, so that only file instances exactly matching the text you enter in the text box are in the results.

When searching for a file by name, consider the following best practices:

No Wildcards – Do not use wildcards (*, ?, and so on) in your search string for a file name. The Carbon Black App Control Server tries to match them literally, and the results are not likely to be what you want. Instead, use the operator menu, which provides choices that accomplish the same thing, without requiring you to type in special symbols.
Case Sensitivity and Platforms – File searches in Carbon Black App Control are not case sensitive. For example, searching for Myfile.exe, myFiLE.exe, or myfile.exe returns the same results
Limit Results – Try to define your search parameters so that the results are limited to a reasonable number of files. The console limits the number of matching files it returns, and you will see a message instructing you to try a narrower search if the number of results exceeds what can reliably be inserted into one table.
Choose the Most Efficient Search Criteria – Some search criteria are more efficient than others. In general, a filter that allows searching for an exact match rather than requiring a string analysis is much faster and has less likelihood of database timeouts. For example, to find all files with a particular extension (such as .exe) using the File Name filter and choosing ending with .exe is very inefficient. In this case, use the Extension filter. Searching for a file using the containing operator (such as, File Name contains setup) is particularly inefficient.
Auto-Completion – Many fields on the Find Files page provide automatic matching of the string as you type it, showing matching choices in a menu.

Locate Instances of a File by Name

To locate instances of a file by name, perform the following procedure.

Procedure

In the console menu, click Tools and then click Find Files.
Specify a File Name, or a portion of a filename, to use in the search. As you type, the search bar gives file search options.
Select the option that matches your intended query. Select the File Name option if you want only files that exactly match the File Name you entered so far (including extension). In general, avoid the containing operator unless it is absolutely necessary because it results in an inefficient search.
If you select the Automatically Apply check box, as soon as you press Return on your keyboard or click on an option in the Search text box, all files (on all computers) that match the File Name-option combination you entered are displayed in the Find Files table.
If you do not select the Automatically Apply text box, selecting an option in the Search text box opens the Show Filters panel so that you can add additional search parameters. In this case, click Apply in the Filters panel to see the search results.

Adding a Pathname to a File Search

File Path is a possible addition to a search for files by name. It can also be useful in other searches; for example,to find all files from a specific publisher in a specific directory and its subdirectories.

Specify a pathname without the name of the file you want to find. For example, if you wanted to find calc.exe in c:\windows\system32, specify the following filters:

The Find Files filterss

Specifying that the File Path is c:\windows\system32 indicates that you want to find files in the named directory only, not in subdirectories. To search for all files in a named directory and its subdirectories, use the operator contains. For example, if you specify that File Name is calc.exe and File Path contains c:\windows\system32, all instances of calc.exe in c:\windows\system32 and any of its subdirectories are returned.

Note: Using a pathname in a file search limits your search to computers that support the platform-specific delimiters (that is, \ or /) and other special path characters.