Client Index Extension overview

With Client Index Extension, you can index the local file systems on Tanium Client endpoints that are running Windows, Linux, and macOS operating systems. On Windows, Index ensures that the volume type is DRIVE_FIXED. Client Index Extension indexes and identifies alternative data streams as part of indexing the Windows file system. An alternate data stream is a feature of the NTFS file system that provides a means of attaching one file to another. It has the ability of forking data into an existing file without changing its file size or functionality. From a malicious perspective, alternative data streams have been used to hide malware.

On non-Windows, Index does a number of checks to ensure the volume is a block device and is not removable. By default, Index does not scan volumes with used space of greater than 20Tb. You can use an index setting to configure this default. size limit. If index is requested to scan a large path explicitly, it will scan that path regardless of size, for example as a high priority path. Additionally, Index provides an option, FilesystemTypesToExclude, which can be used to exclude volumes by filesystem type. See Customize Index endpoint settings for information on configuring these settings.

Index is optimized to minimize endpoint resource utilization. The solution indexes local file systems, computes file hashes, and gathers file attributes and magic numbers. This information is recorded in an SQLite database for detection and reporting of threat indicators for files at rest.

Index is a feature common to many Tanium solution modules that exists as a client extension. Tanium modules that install Client Index Extension include:

  • Tanium Asset versions 1.19.158 and later
  • Tanium Integrity Monitor versions 3.0 and later
  • Tanium Reveal versions 1.15 and later
  • Tanium Threat Response versions 3.4 and later

Client extensions are an extensible framework of tools and processes that extend the functionality of the Tanium Client. Client extensions minimize the reproduction of code within different modules and solutions. A function or library is created once, then reused where necessary by Tanium solutions. Client extensions ultimately reduce the footprint of the Tanium Client on endpoints.

Overview

Index creates and maintains an inventory of the file system on an individual endpoint with the following operations:

The file system inventory is saved in the SQLite database on the endpoint.

Index supports indexing and hashing files inside ZIP archives. Index automatically opens and extracts ZIP archives if you enable file hash calculation. Index defines a ZIP archive by magic number (504b0304). Index models ZIP contents in the Index database in the same way as a directory, however the parent directory record points at the root ZIP archive.

Index only extracts ZIP archives one time per file hash calculation. For each subsequent file hash calculation, Index digests the ZIP archve again. ZIP contents are only walked as part of scans and not part as of the HPP/single-file-walker.

You can use the CX.index.MaxZipSizeMB and CX.index.ZipRecursionLimit settings to configure indexing and hashing files inside ZIP archives. For more information, see Customize Index endpoint settings

Detect file changes

Any new file changes are captured in the database after every index scan (7 days is the default frequency) or almost instantly if changes are part of a high priority path. For more information, see Reference: Manage high-priority paths.

If a file is modified, the data in the database is updated. When a file creation or modification is detected, the file is indexed to include the file name, file size, file creation time, file modification time, and directory name.

Index does not detect changes made to only the attributes of a file, such as creation or modification timestamps. If the contents of a file are modified, Index records the new file modification timestamp but does not update the file creation timestamp.

If Tanium Recorder is deployed and operational on the endpoint, Index gets file change events from Recorder. If Recorder is not available, Index uses the platform-independent indexing method. With this method, changes take longer to pick up because Index gets file changes by traversing the directory tree.

Compute file hashes

Index computes and stores the hashes of files in the database. Index can record any combination of four different hash types: MD5, SHA-1, SHA-256, or SHA-512. You can disable calculation of hashes if desired.

Calculate magic number

The magic number is the first 4 bytes of the file. You can use the magic number to identify many types of files. Magic numbers are recorded for files that do not have a magic number entry.