Skip to content Skip to site navigation

How do I identify Cb Protection file activity?

Cb Protection will help identify the type of file activity represented in the admin console's events log, but it is up to systems administrators to understand the significance of file activity, and change server and application management workflows to incorporate the approval of required software.

  1. While viewing events, add a filter for Subtype and filter by new unapproved file to computer.
  2. Add a filter for File State, set the filter to Unapproved, and group events by Process Name.
  3. Identify the process with the most events.
  4. Add a filter for Process Name and set the filter to the name of the process that you identified.
  5. Group by File Path and identify the file path with the most related events.
    • If there is no single path with a large number of events, try to identify a path with related names.
  6. Add a filter for File Path.
    • If you see a large number of file paths that do not seem to be related to each other, and they group together by user, project, or software, you are probably looking at backup activity. 
  7. Group by User.
    • If you observe that all of the activity is associated with a local system or a service account for backing up that system, it is probably backup activity. If the activity is associated with user accounts, the activity is probably user software installs. 
  8. Group by File Name and identify the type of files being written to the system. The file extension is a good indicator of the type of the file.
    • If you see a large number of .dll and .exe files being written to one or more directories, you are probably seeing software installation activity.
    • If you see file names that look randomly generated, or sequentially incrementing names, this is a good indicator that the content is dynamically generated.
    • If you group by file prevalence, and see all zeroes and ones, this is a good indicator of dynamically generated content. Sources of dynamically generated files can be software deployment tools, compilers, .Net framework, patching, or something else.
  9. After you have identified the file activity, write a custom rule to approve or ban the activity.
    • Backup files will not need to be approved, as they never need to run, so you may safely ignore backup activity.
    • There are several methods for approving software installation activity. See Approval Mechanisms for more information about how software is approved in different workflows.
    • Dynamically generated content can be controlled by using custom rules. See How do I write a custom rule for Cb Protection file activity? for more information about writing custom rules.
Last modified May 5, 2017