logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Audit and Remediation: Yara Rule Must Not Contain Comments

Audit and Remediation: Yara Rule Must Not Contain Comments

Environment

  • Carbon Black Cloud Console: September '20 Release
  • Audit and Remediation: 4.5

Symptoms

  • Comments prefaced with // are contained within the Yara rule
  • Yara rule returns no data

Cause

Currently, the backend query parser strips all newlines from the yara rule.  // specifies ignore everything until the next newline 
Example: 
rule foo: // A dummy rule
{ conditions: true}

when sent to the sensor it gets converted to:
rule foo: // A dummy rule { conditions: true}

Yara will fail to to parse

 

Resolution

Remove any comments containing // from the rule 

Additional Notes

Multiline comments using /* foo */ syntax should still work

Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎10-16-2020
Views:
309
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.