Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
9578
Views
10
Helpful
1
Comments

Review Scanned Files from AMP for Endpoints on Windows for Exclusions

aledipas
Cisco Employee
Cisco Employee

‎06-20-2017 12:41 PM - edited ‎02-21-2020 10:02 PM

Hello Everyone,

This script was designed to make up for the changes made to the history.db file after v5.0 was released. The goal is to help you identify what A4E is scanning in order to determine the best exclusions for your environment.

The attached bash script will allow you to convert your *debug* sfc.exe.log and sfc.exe_DATE_TIMESTAMP.log files to a CSV file. This CSV can then be used to see the following data:

1. Timestamp of when a file was scanned.

2. The path+filename of the scanned file.

3. The path+filename of the parent process.

When you run the script it will output the most active processes by count to the terminal. The list of scanned files will be located in the 'data.csv' file.

In order to use the script simply extract it to the same location as your log files and make it executable (chmod +x).

Run the script on its own with './handle_count.sh' without the quotes.

Depending on how many log files you have it may be quick or take a couple of minutes. Remember that the more log files you have the better picture you will have of the activity on the system.

This script has been tested internally and works on Ubuntu, Ubuntu on Windows 10, and OSX. It is also *unsupported* by TAC.

Thanks!

handle_count_v2.zip
Comments
Eagle117_2
Level 1
Level 1
‎06-23-2017 01:31 PM

Attached is a PowerShell version of the same process for those on Windows without the Linux subsystem.

Rename to .ps1 and run with PowerShell

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents