Is it wise to have a scan filter target all executables?

Owned by Anonymous
Last updated: Oct 09, 2015 by Max Pinion (Deactivated)
1 min read

Question

Is it wise to use a scan filter policy that has the following configuration?

Answer

The stated scan filter (assuming its used as a specification filter) would capture every file on a computer where the file header is marked as a valid executable image (COFF Header ) so long as it is not a DLL. Note that this will include driver files.

No, it is not wise to use such a scan filter, for the following reasons:

This would generate a new "collection" of file hashes that would be delivered to every client in the environment.

This potentially can become a very large collection depending on how many systems are scanned by this policy.

If this collection becomes too large and this collection is used by either the reference policy or another ACS policy to affect ACS systems, the result may cause a delay in program execution as each program's hash must be checked against this collection of hashes.

Additionally this larger collection increases the overall size of the local client item DB which can also cause overall performance degradation of ACS and File Inventory processes.