Audit and Remediation: Osquery Yara Scan of System32 Directory Potential Time Out
Article ID: 292510
Updated On:
Products
Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops)
Issue/Introduction
Performing an osquery Yara search on the system 32 directory results in time outs being experienced resulting in the following message being displayed:
Error: osqueryi.exe was terminated because: Maximum Process Runtime Value (900 seconds) was exceeded.
Environment
- Carbon Black Cloud Console: All Versions
- Audit & Remediation (Formerly CB LiveOps)
- Microsoft Windows: All Supported Versions
Cause
Related to an osquery Bug where Linux memory was not reclaimed fast enough and adding these time delays avoided that, but results in this behaviour
Resolution
- osquery has a bug open to try and address this, and their work is still ongoing
- Use the command line Yara directly on a system, returns results without any timeout
Additional Information
Carbon Black is also working on getting a better workaround, until the osquery bug has been addressed.
This work is still ongoing, and can be referenced under 'DSEN-11654'
This work is still ongoing, and can be referenced under 'DSEN-11654'
Feedback
Yes
No
Powered by
