03-22-2023 05:00 AM
We are having replication issues across the domain controllers and Microsoft is suspecting its an issue with Cortex and they want the the below files to be created as an exceptions across all our domain controllers.
To rule out Cortex issue we thought we will put this DC's in report mode instead of Block, as it is a risk of keeping DC's in report mode for longer duration till the replication is completed.
But im not able to add the below in the exclusions as it is not allowing this format in Cortex, please advise?
The following will need to be exception in Cortex AV. Once exceptioned and the list of files waiting to be replicated drops then Microsoft will investigate further.
03-22-2023 07:47 AM
I'm researching this issue for you now and will get back to you as quickly as I can.
03-22-2023 09:57 AM
I’ve taken a look at your list of exceptions received from Microsoft. It appears that some of them are individual files/file types. Others such as $db_normal$ appear to refer to a certain location on disk. Looking at this Microsoft documentation I was able to find references to what you were given.
$db_normal$ - See below
FileIDTable_* - See below
SimilarityTable_* - See below
*.xml - File Type
$db_dirty$ - See below
$db_clean$ - See below
$db_lost$ - See below
Dfsr.db - File Type
Fsr.chk - File Type
*.frx - File Type
*.log - File Type
Fsr*.jrs - File Type
Tmp.edb - File Type
In the screenshot above you can see a lot of the file types you mentioned in your previous post. I hope this helps clarify the exceptions you would need to input into Cortex XDR.
Please reply to this comment if you have any further questions. We’re happy to help.
Have a great day!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!