Reference System Filters or Templates

Owned by Anonymous
Last updated: Dec 15, 2015 by Mike Murphy

Question

How is the membership of a Reference System list managed?

Details

The membership of a Reference System list (created by a Reference System Whitelist policy) is managed by the filter entries in the Orange highlight below.

  • File specifications:  This parameter sets what will be scanned (Directories and or File types)
  • Reporting filter:  This parameter sets what will be reported to the SMP and stored in the CMDB
  • Example configuration scenario
    • There are files in the %programfiles% directory as well as c:\AppFolderA.  The default filters in the template will  not report the files in c:\AppFolderA.
    • Use the default options in a new Reference System Whitelist policy and create an additional filter for the c:\AppFolderA and then add that filter to the File specifications parameter below.  See Creating a New File Specification Filter for Scanning or Inventory for information on how to create an additional filter for c:\AppFolderA.

Pre-built filters in the Templates

  • There are a number of pre-built filters (or templates) which can be used to configure the File specifications and Reporting filters.  The example below is a clone of an existing filter.  The new filter is #9 and the existing filter is #8 - "Executables in Windows Directories not present in Security Catalogs" (Note:  #8 is a good example filter to clone for creating custom filters for a whole system as it has the appropriate exclusions already).
    • The pre-built filters are show under File Inventory > Filters > File Specifications and may be used as templates in any policy.
    • Customization of the filters can be necessary when Software packages install outside of the standard Program Files folder.

Filtering options

  1. Wildcard(s) - this paramter filters the file name either for a specific name given or a wild-card entry [Example: %altiris% would file all files with the sub-string altiris in the name].
  2. Path - this parameter determines which path(s) will be included in the scan.
  3. Drives - this parameter determines which drive types will be included in the scan.
  4. Attributes - the parameter determines:
    1. Include subdirectories - If checked subdirectories of attribute #2 will be included in the scan.
    2. Include System - If checked files marked System will be included in the scan.  Generally this should not be checked.  System files should generally be managed by the OS itself.
    3. Include Hidden - If checked files marked as hidden will be included in the scan.
  5. Files - this parameter allows additional filtering of the files to be included in the scan.
  6. Include only - this parameter allows additional conditions to be applied to the files included (or allowed) by parameter #5.  For example:  If parameter #5 allows Java to be detected or run, this parameter can have a command-line filter which will allow Java to be detected or run only when a certain command-line is given.
  7. Exclude any - this filter allows items to be excluded from the filter.

Note:  For a filter to work correctly in a Reference System Whitelist policy, either or both parameters #1 and #5 must generally have an identifier for files or there will typically be no results.