The ExDeletedFileInstances view provides access to the metadata for each deleted file instance on each computer at your site.

The Carbon Black App Control Server keeps track of only last deleted instance of each unique file name on each computer. This means that, if same file was created and deleted multiple times, only the last deleted instance is listed.

Table 1. ExDeletedFileInstances View Details

Field Name

Data Type

Special Values

Comments

Deleted_File_Instance_Id

bigint

 

Primary Key

File_Instance_Group_Id

int

 

Foreign key into ExFileInstanceGroups table for group that contains this file

File_Catalog_Id

int

 

Foreign key into ExFileCatalog table for details about this file

Computer_Id

int

 

Foreign key into ExComputers table for computer that has this file

Date_Created

datetime

 

Date and time (UTC) when the file was created

Date_Deleted

datetime

 

Date and time (UTC) when file was deleted

File_Name

nvarchar

 

Name of this file

Path_Name

nvarchar

 

Path of the file. Uses the OS-specific delimiter for the agent that had the file

Detached_Publisher

nvarchar

 

Name of the detached publisher. Embedded publishers can be retrieved through a join with ExFileCatalog.

Detached_Publisher_State

nvarchar

Approved, Approved by Policy, Unapproved, Banned, Banned by Policy

State of the detached publisher (if available); “none” for unsigned files

Detached_Publisher_State_Reason

nvarchar

Manual, Reputation, Imported, External (API), Unknown

Reason for the state of this file’s publisher

Detached_Certificate_Hash

char

 

Carbon Black App Control-proprietary hash of the detached certificate. Embedded certificates can be retrieved through a join with ExFileCatalog

Detached_Certificate_State

nvarchar

Unapproved, Approved, Banned, Approved by Policy, Banned by Policy

Global state of the detached certificate.

Invalid certificates are Unapproved in this field. Unsigned certificates are null.

Detached_Certificate_State_Reason

nvarchar

Manual, Imported, External (API), Unknown

Reason for the state of the file’s detached certificate (same as Publisher State reason)