logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Audit and Remediation: Osquery Yara Scan of System32 Directory Potential Time Out

Audit and Remediation: Osquery Yara Scan of System32 Directory Potential Time Out

Environment

  • Carbon Black Cloud Console: All Versions
  • Audit & Remediation (Formerly CB LiveOps)
  • Microsoft Windows: All Supported Versions

Symptoms

Performing an osquery Yara search on the system 32 directory results in time outs being experienced resulting in the following message being displayed: 
Error: osqueryi.exe was terminated because: Maximum Process Runtime Value (900 seconds) was exceeded.

Cause

Related to an osquery Bug where Linux memory was not reclaimed fast enough and adding these time delays avoided that, but results in this behaviour

Resolution

  • osquery has a bug open to try and address this, and their work is still ongoing
  • Use the command line Yara directly on a system, returns results without any timeout

Additional Notes

Carbon Black is also working on getting a better workaround, until the osquery bug has been addressed.
This work is still ongoing, and can be referenced under 'DSEN-11654'

Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎12-11-2020
Views:
1031
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.