logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Negation of Some Binary Term Searches May Provide Inaccurate Results in EDR 7.7.x

EDR: Negation of Some Binary Term Searches May Provide Inaccurate Results in EDR 7.7.x

Environment

EDR Servers: 7.7.2 to 7.8.0

Symptoms

Searches using some binary terms (digsig_publisher or file_desc) combined with negation of a term group containing spaces may return inaccurate results.  Other binary search terms, such as md5, work as expected.
Examples: 
digsig_publisher:M* and –group:”Default Group”
or
file_desc:M* and -(group:"Research Network")

 

Cause

Still under investigation.

Resolution

  • The fix is expected in EDR Server 7.8.1.
  • Potential workaround:  Confirm results by determining the total (without negation) then subtract the search results using positive terms.
For example using the same timeframe:
Search 1: digsig_publisher:M* 
Search 2: digsig_publisher:M* and (group:”Group1” or group:”Group2”)
Removing the results in search 2 from search 1 provides the correct results.


 

Additional Notes

  • CB-41672

Related Content


Labels (2)
Labels:
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎04-03-2023
Views:
270
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.