.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
How to manually check Blacklisted and Greylisted modules on Netwitness Endpoint SQL Database
Issue
Customer is checking Netwitness Endpoint UI and comparing data on SQL DB.Customer is getting different data about the count of Blacklisted and Greylisted module on their environment even after clearing the Netwitness Endpoint UI cache
Tasks
You can run the SQL query to be able to check the Blacklisted and Greylisted modules on Netwitness Endpoint SQL DB.
Resolution
How to check Blacklisted module on the SQL DB:
Note: The SQL provided below will give you a list of all Blacklisted module on the environment
SELECT [mo].[PK_Modules],
CASE
WHEN [BiasStatus] = -1 THEN 'GreyListed'
WHEN [BiasStatus] = -2 THEN 'BlackListed'
END AS 'ModuleStatus',
[BlacklistCategory], [fn].[FileName] AS 'FirstSeenFileName', [mo].[HashSHA256], [mo].[MarkedAsDeleted]
FROM [dbo].[Modules] AS [mo]
INNER JOIN [dbo].[ModuleBiasStatus] AS [mbs] ON [mo].[PK_Modules] = [mbs].[FK_Modules]
INNER JOIN [dbo].[FileNames] AS [fn] ON [mo].[FK_FileNames__FirstSeen] = [fn].[PK_FileNames]
WHERE [mbs].[BiasStatus] IN (-2, -1)
Sample Result below
Notes
Blacklisted and Greylisted modules are sample only and were tested on lab for demo purposes only.
Product Details
Sometimes Netwitness Endpoint UI does not give accurate information and we need to clear the cache to resolve it.If the customers want to validate the accuracy of data displayed on Netwitness Endpoint UI vs data on SQL Database, they can run SQL query on the database to compare the data.
Approval Reviewer Queue
KCS Approval queue