We just upgraded to 2022E. We would like to know how to reduce false positives from our roaming terminal services profiles stored on our main file server, from our users that are using Microsoft Visual Studio Code… I’m sure Commvault, you know that one of the file extensions you are constantly alerting on is anything ending in “.code” - but the problem with this is that VScode saves temp files with .code extension in users’ appdata folders. Here’s an example from this morning:
Description: A suspicious file iM:\LabTSProfiles\jsmith.v6\AppData\Roaming\Code\CachedData\6261075646f055b99068d3688932416f2346dd3b\polyfills-3e1ee7640a5aae80b3466bca7f4bdf90.code] is detected on the machine
Anyway as you can see, we have John Smith’s roaming appdata folder, with VS Code’s “code” folder.
I’d like to know if I can use a wildcard of some kind to specifically exclude any .code file that falls into that Code subfolder. I do not want to use the sExcludeExtensions additional setting to block every code file, I just want to do something like:
M:\LabTSProfiles\*\AppData\Roaming\Code\CachedData\*\*.code
This would, in theory, get every roaming profile (the first asterisk that replaces jsmith.v6), then the first random string of alphanumeric characters for Code’s cacheddata folder, then lastly the random alphanumeric string that makes up the filename before the code extension.
Will the asterisk wildcard option I hypothesize above work, or does Commvault use some other character, or do I have no options to do what I’m asking?