Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Current »

Applies To

  • Application Control Solution 6.1 SP1

Question

Is it wise to use a scan filter policy that has the following configuration?

	Filter:
		wildcard (blank)
		Path (blank)
		ON inc. subdir
		ON inc. system
		ON inc. hidden
	Additional File Filters:
		Files: select an item ...
		Conditions:
		Program Files executables
		Select an item ...

Answer

The stated scan filter (assuming its used as a specification filter) would capture every file on a computer where the file header is marked as a valid executable image (COFF Header ) so long as it is not a DLL. Note that this will include driver files.

No, it is not wise to use such a scan filter, for the following reasons:

This would generate a new "collection" of file hashes that would be delivered to every client in the environment.

This potentially can become a very large collection depending on how many systems are scanned by this policy.

If this collection becomes too large and this collection is used by either the reference policy or another ACS policy to affect ACS systems, the result may cause a delay in program execution as each program's hash must be checked against this collection of hashes.

Additionally this larger collection increases the overall size of the local client item DB which can also cause overall performance degradation of ACS and File Inventory processes.

 

  • No labels