The Known File Database is a local SQLite store of files trusted as part of the clean baseline of the analysis machine. It exists to suppress noise in two ways:
.exe, .dll, and .sys file on the system and records: full path, filename, version info, and MD5.Once a DB exists, several behaviors become available:
| Setting | Effect |
|---|---|
| Use Known file DB (wizard) | Enable DB lookups for the upcoming run. |
| KnownDB → Hide Known Files (main UI) | Hide DB-known files from all list views. The status label shows "[HIDING TRUSTED FILES]" while active. |
| KnownDB → Disable (main UI) | Temporarily ignore the DB without unloading it. Useful for sanity checks. |
| KnownDB → Update Known Db (main UI) | Show every currently-displayed unknown file in a marker form so you can promote trusted entries into the DB without rebuilding. |
| Color | Meaning |
|---|---|
| Green / blue | File matches an entry in the DB by path and hash. |
| Red / orange | File matches a DB entry by path but has a different MD5 — flagged as a possible replacement or patch. Investigate first. |
| (default) | File is not in the DB. |
Right-click on any DLL or driver row and choose Add Selected To Known DB to add the file. This lets you grow the DB incrementally without a full rescan: add the legitimate antivirus DLL once, never see it again.
The DB-known check is by exact path. A file moved or copied to a new location does not match its original entry. This is intentional — relocation is itself a signal worth investigating.