EDR: Use of wildcard in filemod query does not return results
search cancel

EDR: Use of wildcard in filemod query does not return results

book

Article ID: 284738

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

No query results due to quotes (" ") surrounding query search terms. 

Environment

  • EDR: All Supported Versions

Cause

Usage of quotes return no results due to the way that filemods are indexed in the EDR Server.

Resolution

Remove quotes and use the escape character ( \ ) if spaces or characters needing escaped are encountered.

Example 1: 
  • No results: filemod:"c:\inetpub\wwwroot\*"
  • Results:  filemod:c:\inetpub\wwwroot\*
Example 2 with Escape Character :
  • For the path: "c:\users\username\appdata\local\google\chrome\user data\*"
    • filemod:c:\users\username\appdata\local\google\chrome\user\ data\*
Powered by Wolken Software