Audit and Remediation: Yara Rule Must Not Contain Comments
search cancel

Audit and Remediation: Yara Rule Must Not Contain Comments

book

Article ID: 292308

calendar_today

Updated On:

Products

Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops)

Issue/Introduction

  • Comments prefaced with // are contained within the Yara rule
  • Yara rule returns no data

Environment

  • Carbon Black Cloud Console: September '20 Release
  • Audit and Remediation: 4.5

Cause

Currently, the backend query parser strips all newlines from the yara rule.  // specifies ignore everything until the next newline 
Example: 
rule foo: // A dummy rule
{ conditions: true}

when sent to the sensor it gets converted to:
rule foo: // A dummy rule { conditions: true}

Yara will fail to to parse

 

Resolution

Remove any comments containing // from the rule 

Additional Information

Multiline comments using /* foo */ syntax should still work
Powered by Wolken Software