CB Response: Regmod wildcard query causes performance issues
Article ID: 290618
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Certain regmod searches with a wildcard times out. Some searches may succeed
- Escape characters are included in the search
Environment
- CB Response Server: 6.2.4
Cause
There is a known limitation when using a wildcard (*) and escaping characters in the same query - CB-23029
Resolution
- To work around this limitation, split the regmod path in two
- Original query where path\ with\ space is an escaped folder with spaces
- (regmod:registry\user\*\software\path\ with\ space\file)
- Workaround
- (regmod:registry\user\* AND regmod:"\software\path with space\file")
- Original query where path\ with\ space is an escaped folder with spaces
Additional Information
If the wildcard is at the very end of a query, this issue should not occur
Feedback
Yes
No
Powered by
