Exclude items from Baseline

So we have Sophos on all all our servers, and as the virus defs are updated it actually throws in as a software update which means every time the virus defs are updated it shows up as a baseline change, which means it's really hard to keep track of baselines. It doesn't seem to update the software version number, just the InstallDate.  Is there a way to exclude stuff like this from Baseline changes?  I don't want to exclude that software entirely, because we want to know when the software is actually upgraded or uninstalled or something, just when the Version doesn't change.

pastedImage_0.png

Does it make sense to change the SW Inventory to exclude it

SELECT [Name]

,[Publisher]

,[Version]

,[InstallDate]

FROM Orion.AssetInventory.Software data

JOIN Orion.AssetInventory.Polling polling ON polling.NodeID = data.NodeID

WHERE data.NodeID=${NodeId}

ORDER BY data.Name, data.Publisher, data.InstallDate, data.Version

WHERE Name<>"Sophos Virus Removal Tool"

and make a new one that is ONLY Sophos that does not pull the InstallDate?

SELECT [Name]

,[Publisher]

,[Version]

FROM Orion.AssetInventory.Software data

JOIN Orion.AssetInventory.Polling polling ON polling.NodeID = data.NodeID

WHERE data.NodeID=${NodeId}

ORDER BY data.Name, data.Publisher, data.InstallDate, data.Version

WHERE Name="Sophos Virus Removal Tool"

    1. Run this against your Orion database:
       INSERT INTO [dbo].[SCM_QueryElement_ExclusionRules]
                ([NodeID]
                ,[ProfileName]
                ,[ElementDisplayAlias]
                ,[ExclusionFilter]
                ,[ColumnsToExclude]
                ,[Active])
          VALUES
                (NULL
                ,'SW inventory'
                ,'Software Installed'
                ,''
                ,'InstallDate'
                ,1)
    2. Force poll now for all relevant nodes
    3. Wait until poll now proceeds
    4. Redefine baselines

    After step 2 you will see massive changes in "Software Installed" elements because the column InstallDate was removed ...

    pastedImage_2.png

    ... but since this should not the InstallDate changes bother you.

    In case that by the issue suffers really just the antivirus, then you can use a rule with more specific filter:

    INSERT INTO [dbo].[SCM_QueryElement_ExclusionRules]
              ([NodeID]
              ,[ProfileName]
              ,[ElementDisplayAlias]
              ,[ExclusionFilter]
              ,[ColumnsToExclude]
              ,[Active])
        VALUES
              (NULL
              ,'SW inventory'
              ,'Software Installed'
              ,'Name = ''Sophos Virus Removal Tool'''
              ,'InstallDate'
              ,1)

    Hope it helps

    T.

  • I would prefer to make exclusions via the UI on anything I fill is just noise.