• EDR (formerly CB Response) Server: 6.2.0 and higher

• Binaries still tagged by the rule will result in alerts on detection.
• Threat Reports associated with this Rule are still active.

• Confirm any Threat Reports associated with the rule have been disabled.
• The following steps can be ran to attempt to remove any tagged binaries:

1. Use the cbfeed scrubber to remove existing tags for the feed: 

/usr/share/cb/cbfeed_scrubber --untag yara

2. Run the following to retag the binaries:

/usr/share/cb/virtualenv/bin/python -m cb.maintenance.job_runner --master -vvv feed_search --tag --feed <feedname> --iocs md5

• Disabling the Yara rule only removes the IOC, but any binaries tagged previously will still be alerted on.
• CBfeed_scrubber will remove all tags, including those that are still valid. If option --untag is not supplied, it performs a dry run, so it is a good idea to try it first to see how many binary and process docs are impacted