There are interactions between the Full OS Inventory Tracking rule and several other rules and conditions in Carbon Black App Control.
- File State Transitions – If file exclusion is enabled (that is, Full OS Inventory Tracking is disabled), unapproved file instances that otherwise meet the exclusion criteria are inventoried and tracked. If these files are later approved they are no longer tracked, but the server does not incorporate their state change; they remain in inventory even though their prevalence shows as zero. Conditions that can cause this include the following:
- A Microsoft support file was locally unapproved and therefore not excluded from inventory, but it was later locally approved.
- The criteria for publisher trust was high when Full OS Inventory Tracking is disabled (for example, minimum key size for approval is 2048), and therefore Microsoft support files were not excluded. The publisher trust criteria was then lowered (for example to a 1024-bit minimum), approving most of the support files.
- Disabling Tracking – If you disable Full OS Inventory Tracking, the following occurs:
- All affected files are deleted from the file inventory on the Files on Computers page. Deletion occurs in the background while the server is not busy, and can take several days to complete depending on inventory size. An event reports how many files are deleted from the inventory.
- New, approved instances of these files (and changes to them) are not inventoried or tracked.
- Re-Enabling Tracking – If you re-enable Full OS Inventory Tracking, there is no automatic re-inventory of Microsoft-signed files from agent computers. New instances or activity related to relevant files is tracked. ITo collect an inventory of all pre-existing Microsoft support files, you can Resynchronize all File Information on a computer-by-computer basis. This option is available on the Computers page Action menu.
- Agent Version – You can apply either of the options for turning off tracking of Microsoft support files to agents at version 7.2.1 and greater, and these agents will behave as documented. You can also turn off tracking on (supported) older agents, but the behavior is different. The server cannot always immediately exclude files from older agents because it is missing some of the necessary information. For example, it cannot always detect that a file is a supporting file, or that the file is signed by Microsoft. However, if you choose one of the exclusion options, information about these files is deleted on the server in the background during a regular daily update of file information.