Troubleshooting Yara Rules
search cancel

Troubleshooting Yara Rules

book

Article ID: 377893

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Steps to troubleshoot when a Custom Yara Rule is not properly tagging files.

Environment

  • App Control Console: Version 8.9.0+
  • App Control Windows Agent: 8.8.0+

Resolution

  1. Verify any Qualifiers are formatted correctly and applicable.
    • OnlyIf Macros are the only Qualifiers currently supported, example: 
      Formatting: <OnlyIf:condition:value>
      Example: <OnlyIf:Hostname:*DSKTP-7*>
  2. Verify the Yara Tags
    • Yara Rules should begin with the formatting: rule RuleName: tag example: 
      rule TagsExample: tag1 tag2
      {
        ...
      }
    • Tags should be used in only one namespace. Do not use the same tag in the Classification namespace that is already in the IsInteresting namespace. 
    • Review the Detected Tags. If a Tag already exists, or is used by default it will show in the list of Detected Tags.
  3. Verify case-sensitive information, examples:
    • ABC and abc can identify different Yara Rules.
    • Yara hashes use lower case hexadecimal digits, the following will never return true: 
      hash.sha1(0, filesize) == "7193B6EDF651EAC1AB437F64B2FD6F203F8B702F"
  4. Verify File Scanning was chosen correctly, example: if existing files need to be assigned tags, Rescan known files.
  5. Verify Yara Keywords and other features are supported by the Yara Library version mentioned in the Agent's Release Notes.
    • Example: As of Windows Agent 8.9.6 the Yara Library was updated to version 4.05.
  6. Verify the Yara Rule has been received by the Agent by using dascli.
    • Compare the Yara Rule version shown in dascli status matches the value from Assets > Computers. 
    • Use dascli find <file> to verify Yara results.
  7. Verify any relevant Custom Rule has the appropriate Yara Tag(s) specified.

 

If issues persist, open a case with Support and provide:

  • Full screenshot of any relevant Custom Yara Rule
  • Full screenshot of any relevant Custom Rule using the related Yara Tags.
  • CSV Export of any relevant Events from Reports > Events.
  • Results of the dascli find <file> command, example: 
    cd "C:\Program Files (x86)\Bit9\Parity Agent"
    dascli password GlobalPassword
    dascli find "C:\Test\YaraTestFile.exe"
  • Agent Historical Logs from the machine being used for testing the Custom Yara Rule.

Additional Information

  • Use extreme caution and thorough testing when using the Namespace IsInteresting 
    • Yara Rules can create significant performance issues especially when IsInteresting is used.
  • In general, consider Yara Rules to be case-sensitive, examples:
    • ABC and abc can identify different Yara Rules.
    • Operators such as == and contains use case-sensitive semantics.
Powered by Wolken Software