By default, Carbon Black App Control inventories and tracks all instances of interesting files on all agents attached to a server. Many of these files are Windows operating system and Microsoft application files and related system updates.
As Windows has evolved, the number of operating system files has multiplied to several times what it was in Windows XP, and applications have had similar increases in file number. Windows updates are also significantly increasing in size. Because of these increases, Microsoft files may account for more than half and in some cases three-quarters of all of the files found in your inventory for Windows computers.
If you trust and approve files from Microsoft, you might prefer not to track them. Carbon Black App Control provides two options that eliminate file tracking for certain files that have been signed by the publishers "Microsoft Windows" or "Microsoft Corporation". By turning off file tracking for a significant percentage of the file instances on your systems, you can reduce the size of the server database needed for a given number of agents and reduce the load on the server that processes these files.
The two options allow you to choose where you exclude the information about the support files signed by "Microsoft Windows" or "Microsoft Corporation" publishers:
- Discard at the server
- Information about locally approved instances of these files is sent to the server and included in the File Catalog, but the files are subsequently purged from the Files on Computers inventory. This setting eliminates your visibility into these files on endpoints. While reporting of events related to these files is limited, events such as approvals and bans continue to be reported.
- Discard at the agent
- Information about locally approved instances of these files is discarded at the agent and not sent to the server. In addition, events associated with the files are further suppressed (although not completely eliminated). These files do not appear in Files on Computers, and they generally do not appear in the File Catalog unless an execution or other tracked action occurs.
For both of these options, a warning displays that exclusion of tracking for these files can hamper investigations.
Tracking of Microsoft-signed support file instances is controlled on the Advanced Options tab of the System Configuration page.