On Windows computers, files found in a trusted directory and any of its subdirectories are approved.
Installers and Archives in Trusted Directories
Archives and installers are file types that can generate other files.
It can be convenient to put both types of files in a trusted directory to make file approvals more efficient; note that they are treated differently:
-
Installers – Carbon Black App Control recognizes these common Windows formats as installers: Nullsoft, Wise, Install Shield, and MSI. You also can manually mark files as installers.
In a trusted directory, an installer file is globally approved and added to the File Catalog. If the system hosting the trusted directory is running an agent, the installer is also added to the Files on Computers list. Installer files are not analyzed to determine the files they will write when run, nor are the files an installer will write added to the File Catalog or Files on Computers list until the installer is actually run. Files instances written by an installer are locally approved but not globally approved.
-
Archives – Carbon Black App Control recognizes the following Windows formats as archives: 7Zip, BZip2, CAB, GZip, ISCab, ISO, MSCompress, RAR, ZIP, and TAR.
In a trusted directory, archive files are analyzed by Carbon Black App Control to determine what files they will write when expanded. The files that will be written by the archive file are globally approved and added to the File Catalog, even if there are no instances of them yet. They are not added to the Files on Computers inventory until the archive is expanded. The top-level archive file (for example, myfiles.ZIP) is not added to the File Catalog.
Windows Image (WIM) files are commonly used to package operating system files. By default, they are not recognized by Carbon Black App Control as archives, but you can enable analysis and approval of the content of WIM files.
Enable Trusted Directory Approvals of WIM File Contents
To enable trusted directory approvals of WIM file contents, perform the following procedure.
Procedure
- Select or create the trusted directory in which to approve the content of WIM files.
- On the system where the trusted directory is located, download the Microsoft Windows Automated Installation Kit (AIK) from https://www.microsoft.com/en-us/download/details.aspx?id=10333. This download includes imagex.exe, which is required for WIM approval.
- Disable tamper protection on the agent so that imagex.exe can be added to the agent folder.
- From the Windows AIK download location, copy imagex.exe into the agent installation directory (typically C:\Program Files (x86)\Bit9\Parity Agent).
- In the console, approve the imagex.exe files on the agent that has the trusted directory.
- Re-enable tamper protection on the agent.
- In the console, enter the URL for the Support page: https:// <serveraddress>/support.php.
- Click the Advanced Configuration tab, and in the Agent Configuration panel, select the check box for Enable Deep Crawl.
- In the Deep Crawl Files line, add "*.wim" to the end of the list of file extensions if it is not already there. Use a comma to separate the new extension from the previous one in the list. Click Update when you are finished.