Yara Rules Out of Date
search cancel

Yara Rules Out of Date

book

Article ID: 286539

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Endpoints are showing as "Yara out of date" in the App Control Console.

Environment

  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions

Cause

Communication between the endpoint and the application server is blocked, the Yara.bt9 file is corrupted, or otherwise cannot be properly obtained and imported by the endpoint.

Resolution

  1. Verify the Agent is currently showing as Connected in the Console.
  2. Verify the Agent is not the Agent Upgrade cycle if so remove the Upgrade Request as this prevents yara updates.
  3. Verify the Server-Agent Certificate in the Console > System Configuration > Security is not expired, and formatted correctly.
    • Common Name shown should match Server Address from the General tab.
    • Expiration Date should be in the future.
    • A matching Certificate should be listed in the Trusted Communication Certificates list at the bottom of the Security tab, and Trusted.
  4. Verify the Resource Download Location in System Configuration > Advanced is still accurate, and contains the correct Yara.bt9 file
  5. Verify the IIS Certificate bound to Port 443 is not expired, and formatted correctly
    • Common Name shown should match Server Address from the General tab.
    • Expiration Date should be in the future.
    • A matching Certificate should be listed in the Trusted Communication Certificates list at the bottom of the Security tab, and Trusted.
  6. Verify the required ports for App Control are available to the Server Address. By default these are 41002 and 443.
  7. If a Proxy is in use:
    • The Agent does not officially support a Proxy and a bypass to the Server Address/RDL may be required.
    • The Agent is currently still a 32-bit application, and uses the 32-bit Proxy settings.
      • Use an administrative command prompt on the endpoint to verify a Bypass exists: 
        cd C:\Windows\SysWOW64\
netsh winhttp show proxy
      • If a Bypass does not exist, add one: 
        netsh winhttp set proxy proxy-server="" bypass-list=;
      • A reboot may be required to restore the connection.
    • If a certificate exists on the Proxy or other Network Appliance, it must be imported & Trusted in the Trusted Communication Certificates list.
    • If SSL Inspection is enabled the Agents will reject the modified packets.
    • If any other authentication (such as 2FA) is enabled for network traffic on ports 41002 or 443 the Agents may fail to properly communicate.

If the issue persists, the Disconnected Agent Logs will be required to properly begin an investigation into these communication issues.

Powered by Wolken Software