Skip to main content

Rules for file system scan

Based on the contents of the Software element in the agent configuration file, the agent creates a ruleset determining what parts of the file system to include in the scan.

Description

The agent creates the ruleset for the file system scan according to the following:

  1. The agent checks for content in Software/Include.

    1. If no include path is specified:

      • Linux, Unix, and macOS: no ruleset is created, and no files will be included in the scan. The procedure is terminated and will not continue with steps 2 and 3.

      • Windows: all local drives are added to the ruleset and represent starting points for the scan. The procedure continues with step 3.

    2. If one or more include paths are specified, each path is added to the ruleset and represents a starting point for the scan.

      The paths must be specified according to the rules for include paths.

    3. Any content that does not begin with a drive letter (c: ) or root (/), does not include a path separator (\ or /), and includes a wildcard is interpreted as a file name extension and is placed in the global extension list.

  2. If at least one complete include path has been specified, the agent checks for content in the global extension list. The content, if any, is added to the endpoints of each path in the ruleset created in step 1.

  3. The agent checks for content in Software/Exclude. Any specified exclude paths are added to the ruleset created in steps 1 and 2.

    The paths must be specified according to the rules for exclude paths.

The agent traverses the file system in accordance with the created rule set. Beginning from each defined starting point, it scans the locations specified by the include path and any added global extensions, skipping locations specified by any matching exclude path.

Rules for include paths

An include path:

  • Must be an absolute path, that is, begin with a drive letter (c:, d: etc.) or root (/).

  • Can include a wildcard: '*'

    • At most one wildcard may be used per directory.

    • Exactly one wildcard must be used in file names. If the wildcard is not included, it will not be treated as a file name.

  • Is by default not recursive.

    To make the include path recursive, use <Path recursive="true">.

Example 11. Examples of include paths

  1. c:\Windows is the same as c:\Windows\*

  2. c:\program files\*

  3. c:\ is the same as c:\*

  4. /usr/local is the same as /usr/local/*

  5. /usr/*/bin is the same as /usr/*/bin/*

  6. /folder1/folder2 is the same as /folder1/folder2/*, while /folder1/folder2* means all files beginning with folder2 in /folder1.

  7. Recursive versus non-recursive include path:

    <Path recursive="true">/folder1/folder2 will result in the subdirectories of /folder1/folder2 being scanned.

    /folder1/folder2 will only result in /folder1/folder2 being scanned, not the subdirectories of /folder1/folder2.



Rules for exclude paths

Exclude paths follow the same rules as include paths, with the following exceptions:

  • An exclude path does not have to be an absolute path; the drive letter (c:, d: etc.) or root (/) at the beginning of the path can be replaced with a wildcard '*'.

  • Exclude paths are recursive by default.

  • An exclude path can be configured to be matched against the entire path instead of a per-directory or file level, see Enable pattern matching on the entire path.

Just as for include paths, exclude paths can specify file name patterns like *.dll.

Example 12. Examples of include paths in combination with exclude paths

  1. Include path: /folder1/folder2/*

    Exclude path: /folder1/folder2/a

    Result: The entire directory /folder1/folder2/a will be excluded, but any other directory under /folder1/folder2/ will be included.

  2. Include path: /folder1/*/folder2

    Exclude path: /folder1/b/folder2

    Result: /folder1/a/folder2 and /folder1/c/folder2 will be included, but not /folder1/b/folder2.

  3. Include path: <Path recursive="true">/folder1

    Exclude path: /folder1/*/folder2

    Result: /folder1/a/folder2 and /folder1/c/folder2 will be excluded while /folder1/a/a and /folder1/b/b will be included.

  4. Include path: <Path recursive="true">/folder1/folder2

    Exclude path: /folder1/folder2/*.py

    Result: *py files within /folder1/folder2 and its subfolders will be excluded.



Enable pattern matching on the entire path

Using pattern matching can be useful if, for example, all directories having the same name should be excluded, regardless of their location.

To enable pattern matching, add the prefix exp: to the exclude path. Examples:

  • exp:*\install*

  • exp:/folder1/folder2/*

The wildcard '*' means "match zero or more occurrences of any character". It can be used any number of times in the expression.

All other characters are matched either case-sensitive (Linux) or case-insensitive (macOS and Windows), depending on the operating system.

When the feature is enabled the recursive option is redundant since pattern matching applies to the entire path.

Note

  • Enabling this feature will reduce the speed of the scan. For example, using pattern matching exclusively to determine what to be scanned may have a high impact on the scan time. It is recommended to use pattern matching in combination with include paths.

  • Wildcards and the placement of '/' and '\' are important; */install*, /*install/*, and */install overlap, but do not match the same paths. Remember that the pattern matches against the entire path.

Example 13. Examples of pattern matching on the entire path

  1. exp:*\install\* will exclude all files and folders in any path that has a directory named "install", such as c:\company_name\install\application.exe

  2. exp:*\install* will exclude all files and folders in any path that has a directory beginning with the word "install", such as c:\company_name\install files\application.exe, as well as c:\a\b\install.exe



Global extension list

Any content in Software/Include that does not begin with a drive letter (c: ) or root (/), does not include a path separator (\ or /), and includes a wildcard is considered to be a file name extension and is placed in the global extension list. The contents of the global extension list are applied each include path endpoint.

Specifying a file name extension pattern causes paths, such as /a/*, to no longer include all files, but only those that have any of the specified file extensions. The exception to this rule is an extension/wildcard in a path, like /folder1/folder2/*.py, which adds all .py-files in /folder1/folder2.

Example 14. Examples of file name extensions

  1. *.py

  2. *.exe

  3. *abc.txt: files ending in "abc.txt"

  4. def*: files beginning with "def"



In this section: