The CVD file compliance tool monitors file changes on endpoints to detect abnormal file activity, ensuring image compliance.
Use the tool to detect any abnormal activity and changes on machines that are usually static, track any security breaches, and prevent data leakage or unexpected behavior.
The tool consists of two modes:
Create reference manifest mode: The tool copies the last manifest that was loaded to a special path on the storage. It does not use a policy file in this mode and includes all manifest entries.
Check compliance mode: You specify a policy file that includes extensions to track and exclude folders you do not want to track. The tool applies the policy file on both the reference manifest and the latest manifest, then checks for modifications, and reports the changes.
Each file in the end point has a signature (data checksum) that is stored in the manifest, which is a list of all files that are backed up to storage. Use the path and checksum data in the manifest to identify when a file was moved or modified from its original location. Mirage stores the last manifest in a specific file in the storage.
Create the Reference Manifest
Before running the tool, verify the endpoint completed an upload operation to the server.
The frequency of upload depends on the Mirage configuration. The tool creates a reference manifest on a specific path if the manifest does not already exist and if it exists, the tool compares the manifest with the last manifest in the storage and reports if the manifest was modified. Note that if you do not use the flag -CreateReferenceFileList and the reference manifest does not exist, you get an error.
To create the reference manifest for the first time, run FileComplianceScan -CreateReferenceFileList -MgmServerAddress localhost -CvdID 10008
where
-CreateReferenceFileListcreates the first manifest reference file.-MgmServerAddressis the name or IP address of the Mirage management server.-CvdID <id>is the Machine/CVD identifier.
The tool lists the number of files found, which includes all files in the CVD policy.
Check Compliance
To check the files you want to track, run FileComplianceScan -MgmServerAddress localhost -FilesPolicy "C:\PolicyFile.xml" -OutputDir "c:\DetectManifestOutput" -LogTraceLevel -CvdID 10008
where
-MgmServerAddressis the name or IP address of the Mirage management server.-FilesPolicy <xmlFilePath>is the path to the xml file that includes extensions to include and folders to exclude. If the file does not exist, the tool reports it and creates a template file that you edit to define the files you want the tool to track when you run the command again.-OutputDir <CsvResultDirPath>is the path to a directory in which the tool creates the CSV file that includes a report of the files that were found. Not valid inCreateReferenceFileListmode.-LogTraceLevelis a parameter to obtain more detailed data to the output log for troubleshooting.-CvdID <id>is the Machine/CVD identifier.
Policy File
The policy file is an xml file where you define the rules for the tool. Edit the file to enter directory exclude paths and file extensions for the tool to track. Example of the file:
<?xml version="1.0" encoding="utf-8"?>
<DetectManifestFilterOptions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<PathFilterArray>
<Directory ExcludePath="C:\\Folder1\\Folder2" Recursive="true" />
<Directory ExcludePath=" C:\\Folder1\\FileName.exe" Recursive="false" />
</PathFilterArray>
<TrackExtArray>
<Track Extention="exe" />
<Track Extention="dll" />
</TrackExtArray>
</DetectManifestFilterOptions>
You can modify this file to include new file extensions based on the output data and run the command again.
Output
The output of the tool goes in a csv file with format: Modification Type, File Data Signature, File Path in Ref. Manifest, Latest File Path
Output |
Description |
|---|---|
Modification Type |
FileAdded: Signature does not exist on original manifest but exists on new manifest. FileRemoved: Signature exists on original manifest but not on new manifest. FilePathChanged: If signature exists on both manifests but the path name has changed or the number of instances of this file has changed. |
File Data Signature |
32 Hex value of the signature of the file. The file cannot have more than one signature value. |
File Path in Ref. Manifest |
List of full paths from ref manifest of all files with this signature. |
Latest File Path |
List of full paths from current manifest of all files with this signature. |
The summary on the command line reports the number of rows in the output file and the number of rows from each modification type. If the tool finds no issues, the output csv file is empty.
If the machine is not 100% in compliance, check the output file and decide if you want to do any Mirage operation to revert the machine back to its original state.
Use Cases
In the banking industry, if a branch ATM contains a virus, an IT administrator can manage the endpoint image from a central console by running the tool to detect the virus, and revert the machine to its original state. This process saves critical downtime of the endpoints and cost of sending a technician onsite to resolve the problem.
In the retail industry, this tool can detect any damaged machines that are not 100% file compliant and can revert them to their original state.
Tool Conditions
The tool is subject to these conditions:
You can run the tool on one CVD at a time. The execution is around 1 minute/CVD.
You cannot run the tool on an archived CVD.
You cannot run this tool on a CVD with LMO (Layer Management Only).
If the tool cannot complete the scan due to errors, it displays the appropriate error message.
The tool can run in any machine that is running the Mirage server tools. For scalability purposes, it does not need to be run only from the Mirage management server.
Example of an error message:
CVD 10001 is an archived CVD. This tool does not support archive CVD. Please type valid CVD ID Could not find volume path for CVD 10001 Error: Invalid program parameter(s): Missing server address
