Reference: Supported file types for rule evaluation

• The file must be hashed by Tanium Index using hash type MIME.
• The file must be in a format that Tanium Reveal can read. For more information, see Reference: Supported file types for rule evaluation.
• Binary files must be less than 32 MB. To increase the default size limit, edit the setting CX.index.ExtractorMaxSourceMB.
• The file must not be filtered by the Reveal Parse Exclusions by Regular Expression or Reveal Parse Exclusions by File Path settings, which you can configure using a profile. For more information, see Creating profiles.

The contents of Zip archives are extracted into memory and Reveal evaluates rules against such contents if the compressed zip file size is within the specified overall maximum configured file size. By default this setting is 32 MB, and you can customize this default value using the CX.index.MaxZipSizeMB setting. If the uncompressed size is larger than the MaxZipSizeMB setting size, the archive is not extracted into memory and indexed.

For example, if you use the default setting value (32MB):

• A zip file that is 1MB (compressed) and 20MB (uncompressed) would have its contents indexed.

• A zip file that is 5MB (compressed) and 40MB (uncompressed) would not have its contents indexed.

A zip archive is determined by magic number 504b0304. Many file types are actually zip archives with a magic number of 504b0304. For example: ZIP, JAR, WAR, EAR, XLSX, PPTX, XLSX. Use the CX.index.ZipRecursionLimit (default 10) setting to configure the recursion limit for how deep to extract and index within zip files. For more information, see Tanium Client Index Extension User Guide: Indexing file systems.