CB Response: Yara Connector Log Files Displaying DB Locked

search cancel

CB Response: Yara Connector Log Files Displaying DB Locked

book

Article ID: 287431

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Error message in /var/log/cb/integrations/yara/yara.log:

2019-01-09 04:53:32,230: binary_analysis: ERROR: Error during deep_scan of md5sum 48979117560093D489C388334B7ABF6A: OperationalError: database is locked
2019-01-09 06:11:45,030: binary_analysis: ERROR: Error during binary enumeration: database is locked. Sleeping for 30.000000 seconds and retrying.
2019-01-09 13:57:33,318: binary_analysis: ERROR: Error during binary enumeration: database is locked. Sleeping for 1200.000000 seconds and retrying.

Environment

CB Response Server: All Supported Versions
CB Response Yara Connector: Version 1.3.5 and Earlier

Cause

The failure rate is caused due to the sqlite database is either being corrupted or locked.

Resolution

Remove the Yara Database located here: /usr/share/cb/integrations/yara/db/sqlite.db.
Set the number of concurrent threads to 1 in the /etc/cb/integrations/yara/connector.conf file.

yara_num_threads=1

Restart Yara Connector Service:

service cb-yara-connector restart

Feedback

thumb_up Yes

thumb_down No