Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to Remove a Binary Document From Solr (cbmodules)

EDR: How to Remove a Binary Document From Solr (cbmodules)

Environment

  • EDR Server: All Versions

Objective

Remove a binary document reference from the cbmodules database in Solr

Resolution

Warning: Removing a binary may affect IR capability or have an effect on other historical data. Customer's should discuss this with their IR team or security personnel before deleting the module
Run this command with the full uppercase md5 value replacing MD5HERE
curl http://127.0.0.1:8080/solr/cbmodules/update?commit=true -H "Content-Type: text/xml" -d "<delete><query>md5:MD5HERE</query></delete>"

 

Additional Notes

  • Removing a binary document related to active processes will result in binary metadata associated with the process being removed. Loading the deleted binary will return a message that binary information is not available and the binary is unknown. This could cause further warnings for binaries on events that have not yet been scanned.
  • The binary will not be recollected from the same endpoint again. The sensor has a local registry of binary metadata that is upload and will still retain a reference to the binary even after deleted on the server
  • Running the command with the binary information containing lowercase values will fail silently. To verify the binary is removed, pull the binary document before and after deletion 

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-28-2021
Views:
756
Contributors