Information about Excluded File Instances

Even if you turn off tracking of approved Microsoft support file instances, information about them is available. Some of this is generic information about the file itself, not its specific instances.

These files still display in the File Catalog if a file with their hash has appeared on any agent monitored computer. Because instance tracking is turned off, the file Prevalence number is not reliable and might be zero. A tooltip indicates that prevalence cannot be calculated.

You can turn off tracking of these files in general, but track specific instances; for example, if a particular version of a Microsoft DLL has a reported vulnerability and you want to replace it. There are several ways to maintain the general setting so that you can reduce the load from these files but also track executions of certain files:

Report Bans – You can create a report-only ban for a file. This causes all instances of this file on all computers to be added to the inventory.
Meters – If you create a Meter for a file hash, the meter reports all executions of an excluded file as events, but not add instances of it to the Files on Computers inventory.
Exports of Data to Analytics Tools – If you have integrated Carbon Black App Control with an External Analytics tool such as Splunk, data from excluded file instances is included with all the other file and event data. You can use the external tool to find all instances of excluded files as they appeared historically on all computers. Executions of these files are also tracked in the data provided to the external tool.
Excluded from Inventory Column in File Catalog – The optional column Excluded from Inventory is available in the File Catalog. If you add this column to the table, it identifies files whose instances are not in the file inventory because they are excluded OS support files.
Note: Files locally approved after Microsoft support file exclusion is activated continue to display as unapproved files and therefore display in the Files on Computers inventory.

If you have Carbon Black EDR sensors installed on your computers in addition to the Carbon Black App Control Agent, Carbon Black EDR continues to detect and report executions of these files.