Find the last_success_msg returned, for example we are removing matchover100kb
sqlite3 /var/cb/data/cb-yara-connector/feed_db/binary.db "select last_success_msg from binarydetonationresult where last_success_msg like '%matchover100kb%' group by last_success_msg;"
The last_success_msg lists all rules that matched the binary.
In the example output, we have some binaries that also matched the "matchover600kb" rule. From there we can either UPDATE (if multiple matches) or DELETE (if single match)
To handle "Matched yara rules: matchover100kb, matchover600kb" and keep 'matchover600kb':
sqlite3 /var/cb/data/cb-yara-connector/feed_db/binary.db "UPDATE binarydetonationresult SET last_success_msg = 'Matched yara rules: matchover600kb' WHERE last_success_msg = 'Matched yara rules: matchover100kb, matchover600kb';"
To handle just "Matched yara rules: matchover100kb":
sqlite3 /var/cb/data/cb-yara-connector/feed_db/binary.db "DELETE FROM binarydetonationresult WHERE last_success_msg = 'Matched yara rules: matchover100kb';"
Yara scans the binaries that are stored locally to match against the rule set given. Deleting the binary.db is an option to start fresh, however binaries previously seen will not match unless they still exist locally on the EDR server.
By updating the binary.db to remove the specific rule, this will generate a new feed.json file that will be updated in the threat intel page during the next incremental sync.
Untagging will remove the binaries that were previously tagged by the Yara feed in order to stop tagged alerting.