EDR: Yara is Not Alerting On Expected Binary
search cancel

EDR: Yara is Not Alerting On Expected Binary

book

Article ID: 287991

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

Yara is not alerting on a binary that matches the rule

Environment

  • Carbon Black EDR: All Versions
  • Yara Connector: All Versions

Cause

Binary is not doing anything interesting outside of modload and is being suppressed

Resolution

By default sensor groups are set to "Recommended" retention. With this setting, binaries executed that do nothing more than modloads will not have their own process document (still searchable by cmdline or childproc via the parent document). If the binary in question is being suppressed, the product will not alert on the binary based on the yara feed. 

For example, double clicking a process and closing shortly after may result in no alert if the process did nothing interesting. If the same process was opened, then a netconn for example was generated, an alert will come in for the match against Yara.

Additional Information

  • VMware Carbon Black support does not assist with writing Yara rules. Please utilize the user exchange for assistance with rule syntax.
  • Setting the retention setting to "Minimal" will alert anytime that process is executed, however this reduces the amount of stored event days in order to hold the individual process documents for those children. 
  • The Yara connector itself is not responsible for the alerting, it scans the storefiles table in postgres for matches to the yara rule, then writes a new report to /var/cb/data/cb-yara-connector/feed.json, which is ingested every 1 hour during incremental feed sync. You can verify the report exists by searching in the feed on the Threat Intelligence page, or by running this command on the backend.
    curl 'http://localhost:8080/solr/cbfeeds/select?q=id:"binary_<md5 hash lower case here>"'