EDR Yara-Connector: New Yara Rule Does Not Run on Binaries
Article ID: 284932
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
When adding a new Yara rule to the cb-yara-connector, it does not retroactively scan binaries.
Environment
- EDR Server: All Supported Versions
- EDR Yara-Connector: 2.x
Resolution
- This is expected and by design, as a full modulestore/binary scan can be expensive on resources.
- To re-scan the binaries against all rules, including new ones:
- The cb-yara-connector database can be reset using the cb-yara-manager UI via the Reset DB button:
- This can also be reset by removing or backing up the cb-yara-connector database and restarting the cb-yara-connector service:
- The cb-yara-connector database can be reset using the cb-yara-manager UI via the Reset DB button:
rm /var/cb/data/cb-yara-connector/feed_db/binary.db systemctl restart cb-yara-connector
- Note: this will initiate a re-scan of the modulestore.
Feedback
Yes
No
Powered by
