After you create an agent query to Search
Endpoints for a File, Folder, or Registry Key, the ESM Server
sends the query in the form of a one-time action rule at the next
heartbeat communication with the agent. If the query contains target
objects and/or conditions, the ESM Server sends the query to only those
endpoints that match the target objects and conditions. If you did
not specify any target objects or conditions, the ESM Server sends
the query to all endpoints.
When the Traps agent receives the query, it immediately searches
the endpoint for the filename, folder, and/or registry key on the
local endpoint. If the query contains multiple search parameters,
Traps evaluates the queries separately and reports a match if it
finds any of the search criteria. In the case of a matching system
file, the Traps agent also captures metadata about the file. The
Traps agent then sends the information to the ESM Server at the
next heartbeat communication.