Environment
Objective
Remove a binary document reference from the cbmodules database in Solr
Resolution
Warning: Removing a binary may affect IR capability or have an effect on other historical data. Customer's should discuss this with their IR team or security personnel before deleting the module
Run this command with the full uppercase md5 value replacing
MD5HERE
curl http://127.0.0.1:8080/solr/cbmodules/update?commit=true -H "Content-Type: text/xml" -d "<delete><query>md5:MD5HERE</query></delete>"
Additional Notes
- Removing a binary document related to active processes will result in binary metadata associated with the process being removed. Loading the deleted binary will return a message that binary information is not available and the binary is unknown. This could cause further warnings for binaries on events that have not yet been scanned.
- The binary will not be recollected from the same endpoint again. The sensor has a local registry of binary metadata that is upload and will still retain a reference to the binary even after deleted on the server
- Running the command with the binary information containing lowercase values will fail silently. To verify the binary is removed, pull the binary document before and after deletion
Related Content