2 Replies Latest reply on Aug 5, 2019 8:39 AM by cfizz34

    Exclude items from Baseline

    Geoff Smith

      So we have Sophos on all all our servers, and as the virus defs are updated it actually throws in as a software update which means every time the virus defs are updated it shows up as a baseline change, which means it's really hard to keep track of baselines. It doesn't seem to update the software version number, just the InstallDate.  Is there a way to exclude stuff like this from Baseline changes?  I don't want to exclude that software entirely, because we want to know when the software is actually upgraded or uninstalled or something, just when the Version doesn't change.

       

       

      Does it make sense to change the SW Inventory to exclude it

      SELECT [Name]

      ,[Publisher]

      ,[Version]

      ,[InstallDate]

      FROM Orion.AssetInventory.Software data

      JOIN Orion.AssetInventory.Polling polling ON polling.NodeID = data.NodeID

      WHERE data.NodeID=${NodeId}

      ORDER BY data.Name, data.Publisher, data.InstallDate, data.Version

      WHERE Name<>"Sophos Virus Removal Tool"

       

      and make a new one that is ONLY Sophos that does not pull the InstallDate?

      SELECT [Name]

      ,[Publisher]

      ,[Version]

      FROM Orion.AssetInventory.Software data

      JOIN Orion.AssetInventory.Polling polling ON polling.NodeID = data.NodeID

      WHERE data.NodeID=${NodeId}

      ORDER BY data.Name, data.Publisher, data.InstallDate, data.Version

      WHERE Name="Sophos Virus Removal Tool"

        • Re: Exclude items from Baseline
          tomasv
          1. Run this against your Orion database:
             INSERT INTO [dbo].[SCM_QueryElement_ExclusionRules]
                      ([NodeID]
                      ,[ProfileName]
                      ,[ElementDisplayAlias]
                      ,[ExclusionFilter]
                      ,[ColumnsToExclude]
                      ,[Active])
                VALUES
                      (NULL
                      ,'SW inventory'
                      ,'Software Installed'
                      ,''
                      ,'InstallDate'
                      ,1)
          2. Force poll now for all relevant nodes
          3. Wait until poll now proceeds
          4. Redefine baselines

           

           

          After step 2 you will see massive changes in "Software Installed" elements because the column InstallDate was removed ...

           

          ... but since this should not the InstallDate changes bother you.

           

          In case that by the issue suffers really just the antivirus, then you can use a rule with more specific filter:

          INSERT INTO [dbo].[SCM_QueryElement_ExclusionRules]
                    ([NodeID]
                    ,[ProfileName]
                    ,[ElementDisplayAlias]
                    ,[ExclusionFilter]
                    ,[ColumnsToExclude]
                    ,[Active])
              VALUES
                    (NULL
                    ,'SW inventory'
                    ,'Software Installed'
                    ,'Name = ''Sophos Virus Removal Tool'''
                    ,'InstallDate'
                    ,1)

           

          Hope it helps

          T.