Search Endpoints for a File, Folder, or Registry Key
To perform a centralized search for a system file, folder, or registry key on a Windows endpoint, use the Agent Query.
- Create a new query.
- From the ESM Console, select PoliciesForensicsAgent Query.
- Add a new query.
- Configure one or more search parameters for the query.
When multiple search parameters are specified, Traps will return
a result if the search matches any of the parameters.
- Select the search parameters, either a File name, Folder name, or Registry Key name.
- Enter the matching search value, and then click Add.Optionally, you can use wildcards in the last portion of the file or folder name path, for example: C:\Temp\*.txt
- Repeat as needed to enter multiple search criteria.
- (Optional) Add conditions to the query.Conditions specified here can restrict the scope of the query by sending it to only endpoints that match or do not match the condition.
- From the Conditions tab, select the condition in the Conditions list and click Add next to the appropriate include or exclude condition list.
- Repeat to add more conditions, if desired.
- (Optional) Define the target objects to which
to apply the query. By default, the ESM server sends the query to
all endpoints in your organization.Like conditions, target objects can decrease the scope of a query by targeting specific Users, Computers, Groups, Organizational Unit, or Existing Endpoints.Select the Objects tab, and then enter one or more target objects in the Include or Exclude areas. The Endpoint Security Manager queries Active Directory to verify the users, computers, groups, or organizational units or identifies existing endpoints from previous communication messages.
- (Optional) Review the rule name and description.
The ESM Console automatically generates the rule name and description
based on the rule details but permits you to change these fields,
if needed.To override the autogenerated name, select the Name tab, clear the Activate automatic description option, and then enter a rule name and description of your choice.
- Save the query.Do either of the following:
- Save the query without activating it. When you are ready to run the query, select the rule from the PoliciesForensicsAgent Query page and then click Activate.
- Apply the query to run it immediately.
- Review the results of the query.Although the Agent Query searches in real-time, the ESM Console does not automatically refresh the page with the query results. As a result, you must refresh the page to view the current results.
Agent Query Flow
Agent Query Flow After you create an agent query to Search Endpoints for a File, Folder, or Registry Key , the ESM Server sends the ...
Agent Query Use the Agent Query to search your Windows endpoints for a system file, folder, or registry key. Each query runs in real-time as ...
View the Results of an Agent Query
View the Results of an Agent Query The Agent Query page displays all saved and applied queries and enables you to review results for applied ...
Create a Forensics Rule
Create a Forensics Rule Create a forensics rule to define memory dump and forensics collection preferences. Configure a new forensics rule. Select Policies Forensics Management ...
Manage Service Protection
Manage Agent Tampering Protection Agent tampering protection allows you to protect the Traps agents running on your endpoints. For flexible, granular control over agent tampering ...
Define Communication Settings Between the Agent and the ESM...
Define Communication Settings Between the Agent and the ESM Server By default, the Traps agent applies a No Connection policy to all unknown executable files ...
Define Memory Dump Preferences
Define Memory Dump Preferences When a protected process crashes or terminates abnormally, Traps records information about the event including the contents of memory locations and ...
Uninstall or Upgrade Traps on the Endpoint
Uninstall or Upgrade Traps on the Endpoint Create a new agent actions rule to uninstall Traps from the target objects or upgrade Traps using software ...
Define Child Process Restrictions
Define Child Process Restrictions The child process restriction rule is supported in Traps 3.4 and earlier releases. To restrict child processes on endpoints running Traps ...