App Control: How to Manually Import Agent Yara Rules
search cancel

App Control: How to Manually Import Agent Yara Rules

book

Article ID: 287322

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Import Agent Yara rules in an air gapped environment where Agents are upgraded or installed manually, or when Port 443 is otherwise not available.

Environment

  • App Control Agent: All Supported Versions

Resolution

  1. Copy the "Yara.bt9" file from the App Control server to a location that accessible by the endpoint. By default the Yara.bt9 file is located in:
    "C:\Program Files (x86)\Bit9\Parity Server\hostpkg\Yara.bt9"
  2. From an administrative command prompt on the endpoint, execute the following:
    cd "C:\Program Files (x86)\Bit9\Parity Agent"
    dascli password GlobalCLIPassword
    dascli yara "\\Path\To\New\Yara.bt9"

     

Additional Information

  • This command requires Agent authentication via the Global CLI Password or by running the command as a User that is part of the Agent Management security group defined in System Configuration > General.
  • For a large number of computers this can be scripted.
  • The Yara file will be ingested by the Agent and stored locally in:
    "C:\ProgramData\Bit9\Parity Agent\Yara\METHOD-TIMESTAMP.bt9"