EDR: Unable to Use Special Characters in Process Search Query
Article ID: 287759
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Process search fails when using special characters such as semicolon ;.
- Escaping with backslash \ fails.
- Using "double quotes" does not correct the issue.
Environment
- EDR Server: 6.1 and higher
Cause
This is caused by enhanced tokenization within Solr.
Resolution
Adjust the query following the tokenization rules covered in EDR User Guide:
Advanced Search Queries > cmdline > Tokenization Rules
Additional Information
- There is a known issue: CB-19124, that will not escape the "\", that was resolved in EDR Server 6.4.0.
- With enhanced tokenization, the following characters are converted to white spaces and so removed before the command-line is tokenized: \ “ ‘ ( ) [ ] { } , = < > & | ;
- Page 229 of the User Guide has more information on tokenization
Feedback
Yes
No
Powered by
