EDR: How to Add a Cron Job to Clear Up Old Binary Files
Article ID: 291447
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Create a cron job to clear out binary files older than a set date.
Environment
- EDR Server: All versions
Resolution
- Edit /etc/cb/cron/cb.cron.template
- Add the following above the last comment in the file
-
# Remove binary files older than XX days at 1am 0 1 * * * root find /var/cb/data/modulestore -name "*.zip" -type f -mtime +XX -delete
-
- Save the file
- Restart services for the change to take effect
Additional Information
- Actions must be run as a root user or with sudo privileges
- Binary metadata will still exist in the environment.
- Without intervention, binary files will never be removed from the server.
- Removing binary files can result in a situation where an endpoint has reported on a binary, but the file is not available. This happens when the binary had already been seen on the endpoint previously. Once a sensor reports on a binary, it will not try to upload the binary on consecutive interactions. The number of days old for the binary should be relatively high to reduce this edge case
Feedback
Yes
No
Powered by
