EDR: How to Remove a Binary Document From Solr (cbmodules)
search cancel

EDR: How to Remove a Binary Document From Solr (cbmodules)

book

Article ID: 292539

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Remove a binary document reference from the cbmodules database in Solr

Environment

  • EDR Server: All Versions

Resolution

Warning: Removing a binary may affect IR capability or have an effect on other historical data. Customer's should discuss this with their IR team or security personnel before deleting the module
Run this command with the full uppercase md5 value replacing MD5HERE 
curl http://127.0.0.1:8080/solr/cbmodules/update?commit=true -H "Content-Type: text/xml" -d "<delete><query>md5:MD5HERE</query></delete>"

 

Additional Information

  • Removing a binary document related to active processes will result in binary metadata associated with the process being removed. Loading the deleted binary will return a message that binary information is not available and the binary is unknown. This could cause further warnings for binaries on events that have not yet been scanned.
  • The binary will not be recollected from the same endpoint again. The sensor has a local registry of binary metadata that is upload and will still retain a reference to the binary even after deleted on the server
  • Running the command with the binary information containing lowercase values will fail silently. To verify the binary is removed, pull the binary document before and after deletion 
Powered by Wolken Software