Solved

Consider all items good vs creating overrides

  • 7 December 2016
  • 2 replies
  • 59 views

If I select an endpoint in the console, I can go to Agent Commands -> Files & Processes -> Consider all items as good.
 
I can also go to the Overrides tab and create overrides for specific programs.
 
Are these equivalent?
 
If I consider all items as good, does it just apply to that single endpoint?  is there some way to see what it considered good?  I do not see a list or report.
 
I have also noticed that even if I create an Override, or Consider good, the program still shows up in the Endpoints with Undetermined Software report.  Is this expected?  Is there some way to clean up this report?
icon

Best answer by coscooper 20 December 2016, 22:44

View original

2 replies

I was about to ask this same question to a tee. I'd like to know the answer to this as well. 
Userlevel 6
Badge +26
@ - These are two distinct functions with very different answers. The best way to answer is to explain each function, it's intention and how they behave.
 
1) Agent Commands -> Files & Processes -> Consider all items good. This is a local endpoint only function that will only set the current list of unknowns (Undetermined) as good. The moment the command is run, if another undetermined is flagged, this command has no effect. (This agent command is rarely used.) You typically do not need to send this command, then make a whitelist. Just make the whitelist and next poll cycle, the endpoint will pick up the new override and anything that's flagged as undetermined will change to good. This command is really only used for one off requirements JUST for that endpoint.
 
  • So to answer the first question, are these equivalent? - No.
  • Does it just apply to the single endpoint? - Yes
  • Is there a way to see what is considered good? - Yes - in the c:Program DataWRData directory, there's a determination file that has all the GOOD determination's. (Res0.db). (PS... changing it in this file does not work, it's for informational purposes only.)
2) Whitelisted applications and/or directories are applied to all endpoints being managed by the respective site and is the preferred method for insuring an agent ignores the application going forward. The agent command in question is for a single point in time on a single endpoints. Again - It's rarely used and I'd encourage you NOT to use it as it's farely temporary and the undetermined software could rerun at a future time and get reset as an undetermined.
 
3) Endpoints with Undetermined Software report - this is a historical report and will not be purged, but will report the last date/time seen. So, if you create an override, the override file gets updated on the respective endpoint, the undetermined software will still show up in this report, but should show up with a date/time stamp that will stay static for the last time the agent thought it was undetermined.
 
  • Is there a way to cleanup this report? - No. It's a historical report that's for general use, not a dynamic live active report.
Best practice is to review this undetermined software report for trends across endpoints, proactively make whitelists, which will update on the endpoint at next polling cycle. (PS... lower the polling cycle in the respective policy to 30 or 15 minutes.)
 
There is actually nothing wrong with the agent monitoring files. In general, they will either get determined by our central threat data and/or may simply be benign. So, you do not have to keep it 100% pristine.
 
Whitelists are primarily for major business applications (line of business or important applications) for a given industry and that our central threat data may not have on file.
 
Lastly, if you expose the "Determinations" column in whitelists under the site, you'll see what our central threat knows about that file and any other whitelistsed items. Their determination may have changed since it's been configured. If it's "good" you can remove the old whitelists as a house keeping activity as keeping whitelists to a minimum will help with agent performance.
 
Hope this helps.

Reply