logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Negation of Some Binary Term Searches May Provide Inaccurate Results in EDR 7.7.x

EDR: Negation of Some Binary Term Searches May Provide Inaccurate Results in EDR 7.7.x

Environment

EDR Servers: 7.7.2 to 7.8.0

Symptoms

Searches using some binary terms (digsig_publisher or file_desc) combined with negation of a term group containing spaces may return inaccurate results.  Other binary search terms, such as md5, work as expected.
Examples: 
digsig_publisher:M* and –group:”Default Group”
or
file_desc:M* and -(group:"Research Network")

 

Cause

Still under investigation.

Resolution

  • The fix is expected in EDR Server 7.8.1.
  • Potential workaround:  Confirm results by determining the total (without negation) then subtract the search results using positive terms.
For example using the same timeframe:
Search 1: digsig_publisher:M* 
Search 2: digsig_publisher:M* and (group:”Group1” or group:”Group2”)
Removing the results in search 2 from search 1 provides the correct results.


 

Additional Notes

  • CB-41672

Related Content


Labels (2)
Labels:
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎04-03-2023
Views:
185
Contributors
logo