Agent file exclusion list for Macs

DavidH asked a question.

November 26, 2021 at 3:02 PM

I'm wondering if any of you have recommendations for file exclusions to put in the agent config on Mac computers? We see a lot of javascript (.js) files getting reported along with some shell scripts and perl files, etc... We probably don't need to include those.

Is anybody willing to share their list of file exclusions for Macs? It would be nice to get some real-world advice from you experts.

UPDATE: we did a bit of digging and can see a couple of detection rules for MacOS that identify software based on the .js file extension. So perhaps we need to keep that, but it would be useful to know what exclusions people are using in their Mac agent configs.

Thanks!

SamuelBaughan
5 years ago
I ran a query to see what files extensions apart from EXE are currently involved in detecting apps:
SELECT DISTINCT * from tblApplication ta
INNER JOIN tblSoftwareApplicationMap sam ON sam.ApplicationID = ta.ApplicationID
WHERE sam.SoftwareCheckSum in (
  SELECT SoftwareCheckSum
  FROM tblSoftware
  WHERE SoftwareCheckSum IN (
    SELECT DISTINCT SoftwareCheckSum FROM tblSoftwareApplicationMap
  )
  AND IsRegistry = 0 and OSType = 0
  AND LOWER(RIGHT(ExecutablePath,CHARINDEX('.',REVERSE(ExecutablePath))-1)) <> 'exe'
)

It is very interesting because most of the 3,300 records this query brings back are just pointing to applications that I am not sure are really needed ... could removing them positively impact our DUJ times? Here is the list, all those apps are called "x - Some Name"
x - Microsoft Application Components 2
x - Microsoft Visual C Components 1
x - Microsoft Visual Studio Components
x - Filtered Citrix Components 3
x - Various Installers
x - Filtered File Extensions
x - Incorrect Flagged Windows Rows
x - Microsoft Visual Studio Components 2
x - Microsoft Visual C Components
x - Microsoft Application Components 7
x - Various Filtered Applications
x - Various Temporary Files
x - Microsoft Utilities & Drivers

My conclusion is that if the detection is based 99.998% based on EXE files, could we reduce the scope of the Windows agent to only look for EXE files? Anything else really needed could be the object of a PS1 custom script maybe.

Is anyone else finding something similar?
Expand Post
- DavidH
  5 years ago
  So ... is the purpose of all the hidden 'x - rules' just to make sure those items don't appear under 'unassigned software'? That's what I'm thinking...
  Expand Post
  - SamuelBaughan
    5 years ago
    Are those files really an annoyance if they show up in the Unassigned Software list?
    This list is massive anyway :D So a few more or a few less would not really matter to me.
    I would prefer to have a faster DUJ than hiding a few files under the rug ...
    Expand Post
  - DavidH
    5 years ago
    It could be a very big list ;-) Looking at those rules, including utilities and drivers, application components, etc... there could be a huge volume of these. I mean really, really big. So I wonder if the list of unassigned software would be orders of magnitude bigger otherwise. Reading up on the recent SRS issue Snow said that the DUJ takes longer if the list of unassigned software is bigger, so these hidden rules might be speeding the DUJ up rather than slowing it down (except the complete ruleset perhaps).
    Expand Post
DavidH
5 years ago
This page could be useful to anybody reading this thread: Inventory Agent Exclusions (snowsoftware.com)
Expand Post