EDR: How To Purge Modulestore Binary Files

search cancel

EDR: How To Purge Modulestore Binary Files

book

Article ID: 285278

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

To manually remove the modulestore binary files from an EDR server or cluster.

Environment

EDR: 5.x and higher

Resolution

Log onto the CLI of the EDR server. For a cluster, log into each minion server.
Determine the MaxEventStoreDays setting in /etc/cb/cb.conf as a starting point to purge to:
```
# grep MaxEventStoreDays /etc/cb/cb.conf
```

Get the list of which binaries will be removed:

# find /var/cb/data/modulestore -name "*.zip" -type f -mtime +XX &> /tmp/ls_purge_binary.txt
(Alternately, confirm by printing to the screen the filenames and dates.)
# find /var/cb/data/modulestore -name "*.zip" -type f -mtime +XX -printf "%s %n %t\n"

Run the following replacing XX with MaxEventStoreDays results:

Warning: Verify your system time before running this command
find /var/cb/data/modulestore -name "*.zip" -type f -mtime +XX -delete

Additional Information

Binaries uploaded from Sensors to the EDR cluster are located inside /var/cb/data/modulestore/
These steps will irrecoverably remove data from the EDR server. After removing this data, attempting to download this binary from the binary details page will result in a 404.

Feedback

thumb_up Yes

thumb_down No