App Control: How to Manually Import Agent Yara Rules
Article ID: 287322
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Import Agent Yara rules in an air gapped environment where Agents are upgraded or installed manually, or when Port 443 is otherwise not available.
Environment
- App Control Agent: All Supported Versions
Resolution
- Copy the "Yara.bt9" file from the App Control server to a location that accessible by the endpoint. By default the Yara.bt9 file is located in:
"C:\Program Files (x86)\Bit9\Parity Server\hostpkg\Yara.bt9"
- From an administrative command prompt on the endpoint, execute the following:
cd "C:\Program Files (x86)\Bit9\Parity Agent" dascli password GlobalCLIPassword dascli yara "\\Path\To\New\Yara.bt9"
Additional Information
- This command requires Agent authentication via the Global CLI Password or by running the command as a User that is part of the Agent Management security group defined in System Configuration > General.
- For a large number of computers this can be scripted.
- The Yara file will be ingested by the Agent and stored locally in:
"C:\ProgramData\Bit9\Parity Agent\Yara\METHOD-TIMESTAMP.bt9"
Feedback
Yes
No
Powered by
