EDR: How to Determine if a Binary has been Received by the Server and Scanned by Yara
Article ID: 288051
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
To determine whether a specific hash value has been uploaded to the EDR server and whether Yara has already scanned it.
Environment
- EDR: 7.x and Higher
- Yara: 2.x
Resolution
Querying PGSQL
A record of all collected hashes is stored on the primary server pgsql db in the storefiles table.
To see a specific record :
Querying YARA
To determine if Yara has seen a specific hash before, query the SQL lite file from the primary server:
A record of all collected hashes is stored on the primary server pgsql db in the storefiles table.
To see a specific record :
- On the primary server, run:
# psql -d cb -p 5002 -c "select * from storefiles where md5hash='\x<hash>';"
where <hash> is the lower-case value of the md5sum being queried.
example: md5hash='\x22ea17f020dc46f8bb4270cb31358acc ';"
The '\x' is generally required.
example: md5hash='\x22ea17f020dc46f8bb4270cb31358acc ';"
The '\x' is generally required.
- Run:
# psql -d cb -p 5002 -c "select * from binary_status where md5hash='\x<hash>'
where <hash> is the lower-case value of the md5sum being queried.
example: md5hash='\x22ea17f020dc46f8bb4270cb31358acc ';"
The '\x' is generally required.
example: md5hash='\x22ea17f020dc46f8bb4270cb31358acc ';"
The '\x' is generally required.
Querying YARA
To determine if Yara has seen a specific hash before, query the SQL lite file from the primary server:
- Run:
# sqlite3 /var/cb/data/cb-yara-connector/feed_db/binary.db
- Run the query:
sqlite> select * from binarydetonationresult where md5='<hash>';
where <hash> is the lower-case value of the md5sum being queried.
example: md5='22ea17f020dc46f8bb4270cb31358acc ';"
example: md5='22ea17f020dc46f8bb4270cb31358acc ';"
Additional Information
- The Yara connector uses the postgres storefiles table to confirm if the physical binary is still local and which node it exists on (clustered) in order to do the scan
- When sharing hashes, these are deleted locally and are not available for scanning if the binary was already seen before the connector and/or rule was implemented
- Manually deleting the binaries from /var/cb/data/cbmodules can cause errors on lookup, instead rely on the 'binary_purge' job that is enabled by default.
- The Yara connector creates a feed report that is binary based IOC. Non-query based IOC's hit at ingress of data, this means that you will not get alerted on by the first hit as the Yara connector scans the binary file after ingress. CB-42584 was created to enhance the connector to alert on the first seen.
- \x is required for the pgsql query.
- \x is not needed in the Yara sqlite db.
Feedback
Yes
No
Powered by
