Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Audit and Remediation: Osquery Yara Scan of System32 Directory Potential Time Out

Audit and Remediation: Osquery Yara Scan of System32 Directory Potential Time Out

Environment

  • Carbon Black Cloud Console: All Versions
  • Audit & Remediation (Formerly CB LiveOps)
  • Microsoft Windows: All Supported Versions

Symptoms

Performing an osquery Yara search on the system 32 directory results in time outs being experienced resulting in the following message being displayed:
Error: osqueryi.exe was terminated because: Maximum Process Runtime Value (900 seconds) was exceeded.

Cause

Related to an osquery Bug where Linux memory was not reclaimed fast enough and adding these time delays avoided that, but results in this behaviour

Resolution

  • osquery has a bug open to try and address this, and their work is still ongoing
  • Use the command line Yara directly on a system, returns results without any timeout

Additional Notes

Carbon Black is also working on getting a better workaround, until the osquery bug has been addressed.
This work is still ongoing, and can be referenced under 'DSEN-11654'

Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎12-11-2020
Views:
593
Contributors