Some endpoints produce large amounts of non-binary files types, and can therefore produce a massive inbound queue of mostly uninteresting files. This can lead to decreased data retention and system resource usage to ingest this data on the server. If the large amount of non-binary file writes is determined to be an issue, perform the following procedure to turn off this type of event collection.
For the most part, Carbon Black EDR does not record information regarding non-binary files types. However, Carbon Black EDR does record file writes of certain non-binary file types. The following is a list of non-binary files types that the Carbon Black EDR sensor records when they are written to disk:
| PE | Elf | UniversalBin |
| EICAR | OfficeLegacy | OfficeOpenXml |
| ArchivePkzip | ArchiveLzh | |
| ArchiveLzw | ArchiveRar | ArchiveTar |
| Archive7zip |
Procedure
- You can create a new sensor group to contain the sensors that are generating the non-binary file write events, or you can edit an existing sensor group. See Create or Edit a Sensor Group (macOS or Windows Sensors) for step-by-step instructions.
- Click the Event Collection tab.
- Deselect the Non-Binary File Writes check box.
- Save the sensor group.
- Add sensors to the sensor group as needed. See Move Sensors to Another Group.
