Built-in Yara Rule "Python Interpreter" Failing to Tag Python.exe
Article ID: 409089
Updated On:
Products
Carbon Black App Control
Issue/Introduction
Agent is failing to properly tag Python.exe as a Python Script Interpreter.
Environment
- App Control Server: All Supported Versions
- App Control Windows Agent: All Supported Versions
Cause
The built-in Yara Rule is not properly handling a version wildcard associated with Python DLLs.
Resolution
This issue was tracked under CRE-21958 and will be resolved with the release of Rules Installer 1.32. In the meantime, customers can use the following workaround steps:
- Log in to the Console and navigate to Rules > Software Rules > Yara
- Click Add Yara Rule and use the following:
- Name: TMP - Python Script Interpreter v2
- Namespace: Classification
- Description:
Temporary workaround for CRE-21958. Disable before upgrading to Rules Installer 1.32.
- Status: Enabled
- Rule:
rule PythonScriptInterpreter2: script_interpreter python_interpreter { meta: description = "Additional Rule to identify python interpreters" extension = "pyc" condition: // Note: Python.exe and pythonw.exe both import pythonXX.dll with the version number in its name: e.g. python26.dll not pe.is_dll() and pe.imports_regex(/python\d\d+.dll/) } - Rescan known files: Checked
- Save & Exit
- Allow some amount of time (at least an hour) for Agents to receive changes and rescan known files accordingly.
Additional Information
- This Custom Yara Rule should be disabled before upgrading to Rules Installer 1.32.
- When disabling the Custom Yara Rule, do not choose Rescan known files again.
- Files will get rescanned accordingly after the Rules Update.
- New Release and Product Notifications
- Subscribe to Broadcom Knowledge Articles
Feedback
Yes
No
Powered by
