Audit and Remediation: Hash Searches are Not Returning Information About a Known Hash

Audit and Remediation: Hash Searches are Not Returning Information About a Known Hash

search cancel

Audit and Remediation: Hash Searches are Not Returning Information About a Known Hash

book

Article ID: 289334

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

When searching for a Hash on a machine where it is known to exist, a query returns nothing

Environment

Carbon Black Cloud Console: All Supported Versions
Carbon Black Cloud Sensor: 3.7.x and Below

Cause

This can happen because the current version of osquery's hash table is cap sensitive
While the powershell command Get-FileHash returns the hash in all caps

Resolution

LIKE can be used instead of = in the query
The hash search can be encapsulated with lower(HASH)

Feedback

thumb_up Yes

thumb_down No