Yara Exclusions for Performance and Interopability Issues with Large Files

Products

Carbon Black App Control

Issue/Introduction

YARA analysis provides content-based inspection of files for Windows Agents, regardless of file type.
Performance and/or interoperability issues may be encountered when large files are analyzed, such as:
- Virtual Machine disks (vmdk, vhdx, etc)
- Database files or backups (ldf, mdf, ndf, vdk, vbk, etc) during this analysis.
- Large software install packages (msi, msix, exe)
3rd party application logs may indicate that it's unable to complete a particular operation because parity.exe has the file in use

May experience Windows "File In Use" messages, similar to:

The action can't be completed because the file is open in Carbon Black App Control Agent

Environment

App Control Agent: All Supported Versions
Microsoft Windows: All Supported Versions

Resolution

Available YARA Analysis Options

By default the Agent will analyze all files, regardless of extension or size, and will not timeout.

As of Agent 8.10.2 this has changed and there are granular control options available, depending on the desired outcome.
Configs should be limited in scope as much as possible (pattern, host, Policy, etc)
Both options support OnlyIf Macros to help further limit to specific Hostnames, or other attributes
- This would help further limit the config to specific Computer Names or using other attributes.
Either option can be combined with a Custom Rule that uses File Creation Control (Approve).
- This is beneficial if a YARA Exclusion is required for a file pattern that should otherwise be allowed to execute.

Ignoring File Patterns From YARA Analysis

This option will skip YARA analysis entirely for the pattern(s) specified.

This can be beneficial if the files are large and never expected to execute.
- If the file pattern could execute use of this could prevent some Approval Methods from working.
Multiple patterns can be included in the same config
Consider also implementing a matching pattern to skip during Cache Checks or Initialization
Supports wildcards, but does not support User-specific Path Macros (ex: <AppData>\local )

Setting YARA Analysis Timeout

This option will change the default timeout (none) to the value specified in seconds.

This option may be beneficial for situations where YARA Tags are still desired, while limiting potential endpoint performance impacts.
Timeouts required will be unique to each application experiencing the issue and resources of the machine (how quickly it can complete YARA analysis).
- Start with a higher value and reduce as needed (ex: start with 120, then decrease to 90, 60, etc).
This option cannot be applied to specific patterns, and instead governs the Agent's YARA timeout for all YARA analysis operations.

Implementing

Verify the Agent version is 8.10.4+

Use the Agent Config to either create or modify the desired YARA Exclusion for the relevant application

Examples for ignoring File Patterns

Single File Pattern

Name: Skip YARA Analysis For HyperV
Host ID: 0
Value: yara_ignore_patterns=*.vib
Macro: <OnlyIf:HostName:*HyperV*>
Platform: Windows
Status: Enabled
Create For: <Specific Policies Where HyperV Expected>

Example for Ignoring Multiple File Patterns

Name: Skip YARA Analysis For HyperV
Host ID: 0
Value: yara_ignore_patterns=c:\hyperv\vm\*.vhd,c:\hyperv\vm\*.vhdx
Macro: <OnlyIf:HostName:*HyperV*>
Platform: Windows
Status: Enabled
Create For: <Specific Policies Where HyperV Expected>

Example for YARA Timeout

Name: Timeout YARA Analysis For HyperV
Host ID: 0
Value: yara_analysis_timeout_secs=120
Macro: <OnlyIf:HostName:*HyperV*>
Platform: Windows
Status: Enabled
Create For: <Specific Policies Where HyperV Expected>

Save the changes
Verify Agent shows Connected & Up to Date, then test again.

If the issue persists, collect the Agent Performance Logs and open a technical support case.