Client Index Extension overview

With Client Index Extension, you can index the local file systems on Tanium Client endpoints that are running Windows, Linux, and macOS operating systems. On Windows, Index ensures that the volume type is DRIVE_FIXED. On non-Windows, Index does a number of checks to ensure the volume is a block device and is not removable. By default, Index does not scan volumes with used space of greater than 20Tb. You can use an index setting to configure this default. size limit. If index is requested to scan a large path explicitly, it will scan that path regardless of size, for example as a high priority path. Additionally, Index provides an option, FilesystemTypesToExclude, which can be used to exclude volumes by filesystem type. See Customize Index endpoint settings for information on configuring these settings.

Index is optimized to minimize endpoint resource utilization. The solution indexes local file systems, computes file hashes, and gathers file attributes and magic numbers. This information is recorded in an SQLite database for detection and reporting of threat indicators for files at rest.

Index is a feature common to many Tanium solution modules that exists as a client extension. Tanium modules that install Client Index Extension include:

  • Tanium Threat Response versions 3.4 and later
  • Tanium Reveal versions 1.15 and later

Client extensions are an extensible framework of tools and processes that extend the functionality of the Tanium Client. Client extensions minimize the reproduction of code within different modules and solutions. A function or library is created once, then reused where necessary by Tanium solutions. Client extensions ultimately reduce the footprint of the Tanium Client on endpoints.

Overview

Index creates and maintains an inventory of the file system on an individual endpoint with the following operations:

The file system inventory is saved in the SQLite database on the endpoint.

Detect file changes

Any new file changes are captured in the database after every index scan (7 days is the default frequency) or almost instantly if changes are part of a high priority path. For more information, see Reference: Manage high-priority paths.

If a file is modified, the data in the database is updated. When a file creation or modification is detected, the file is indexed to include the file name, file size, file creation time, file modification time, and directory name.

Index does not detect changes made to only the attributes of a file, such as creation or modification timestamps. If the contents of a file are modified, Index records the new file modification timestamp but does not update the file creation timestamp.

If Tanium Recorder is deployed and operational on the endpoint, Index gets file change events from Recorder. If Recorder is not available, Index uses the platform-independent indexing method. With this method, changes take longer to pick up because Index gets file changes by traversing the directory tree.

Compute file hashes

Index computes and stores the hashes of files in the database. Index can record any combination of four different hash types: MD5, SHA-1, SHA-256, or SHA-512. You can disable calculation of hashes if desired.

Calculate magic number

The magic number is the first 4 bytes of the file. You can use the magic number to identify many types of files. Magic numbers are recorded for files that do not have a magic number entry.