cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 10

Exclude items from Baseline

So we have Sophos on all all our servers, and as the virus defs are updated it actually throws in as a software update which means every time the virus defs are updated it shows up as a baseline change, which means it's really hard to keep track of baselines. It doesn't seem to update the software version number, just the InstallDate.  Is there a way to exclude stuff like this from Baseline changes?  I don't want to exclude that software entirely, because we want to know when the software is actually upgraded or uninstalled or something, just when the Version doesn't change.

pastedImage_0.png

Does it make sense to change the SW Inventory to exclude it

SELECT [Name]

,[Publisher]

,[Version]

,[InstallDate]

FROM Orion.AssetInventory.Software data

JOIN Orion.AssetInventory.Polling polling ON polling.NodeID = data.NodeID

WHERE data.NodeID=${NodeId}

ORDER BY data.Name, data.Publisher, data.InstallDate, data.Version

WHERE Name<>"Sophos Virus Removal Tool"

and make a new one that is ONLY Sophos that does not pull the InstallDate?

SELECT [Name]

,[Publisher]

,[Version]

FROM Orion.AssetInventory.Software data

JOIN Orion.AssetInventory.Polling polling ON polling.NodeID = data.NodeID

WHERE data.NodeID=${NodeId}

ORDER BY data.Name, data.Publisher, data.InstallDate, data.Version

WHERE Name="Sophos Virus Removal Tool"

2 Replies
Level 12

  1. Run this against your Orion database:
     INSERT INTO [dbo].[SCM_QueryElement_ExclusionRules]
              ([NodeID]
              ,[ProfileName]
              ,[ElementDisplayAlias]
              ,[ExclusionFilter]
              ,[ColumnsToExclude]
              ,[Active])
        VALUES
              (NULL
              ,'SW inventory'
              ,'Software Installed'
              ,''
              ,'InstallDate'
              ,1)
  2. Force poll now for all relevant nodes
  3. Wait until poll now proceeds
  4. Redefine baselines

After step 2 you will see massive changes in "Software Installed" elements because the column InstallDate was removed ...

pastedImage_2.png

... but since this should not the InstallDate changes bother you.

In case that by the issue suffers really just the antivirus, then you can use a rule with more specific filter:

INSERT INTO [dbo].[SCM_QueryElement_ExclusionRules]
          ([NodeID]
          ,[ProfileName]
          ,[ElementDisplayAlias]
          ,[ExclusionFilter]
          ,[ColumnsToExclude]
          ,[Active])
    VALUES
          (NULL
          ,'SW inventory'
          ,'Software Installed'
          ,'Name = ''Sophos Virus Removal Tool'''
          ,'InstallDate'
          ,1)

Hope it helps

T.

0 Kudos

I would prefer to make exclusions via the UI on anything I fill is just noise.

0 Kudos