App Control: Performance Impact After Creating Custom Write Rule with Yara Tags
search cancel

App Control: Performance Impact After Creating Custom Write Rule with Yara Tags

book

Article ID: 288859

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Performance impact after creating a Custom Rule that includes Write Operations with Yara Tags.

Environment

  • App Control Console: 8.9.0 and Higher
  • App Control Agent: 8.8.0 and Higher

Cause

The performance issue is caused because the Agent will be forced to analyze every write operation for the Yara Tag(s) specified.

Resolution

Avoid the use of a Custom Rule, and instead create a Yara Rule (Rules > Software Rules > Yara) that returns the correct predefined Yara Rule Tag.

Additional Information

  • Examples of Custom Rules with Write Operations: File Creation Control, Advanced with Write Operation, Expert Rule with Write Operation, etc
  • YARA Rules are powerful and can have far-reaching, unexpected consequences. It is always recommended to test Custom Rules in a limited fashion before deploying to all endpoints.
Powered by Wolken Software