Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Understanding Yara Components

EDR: Understanding Yara Components


  • EDR Server: 7.7.x
  • Yara Connector: 2.2.0
  • Yara Manager: 2.2.0


How does the Yara Connector and Yara Manager work with EDR servers?


Yara Components and Data Flow

This is a article attached imageThis is a article attached image

1. Yara rules .yar files are read, compressed and loaded into memory.  New .yar files are included without restarting cb-yara-connector service. 
Component:  /etc/cb/integrations/cb-yara-connector/yara_rules/.YARA_RULES_xxxx

2. Read the Postgres database binary_status table every 15 minutes to identify new binary entries. 
Component:  Postgres DB table binary_status.

3. New binaries are stored on the EDR servers.  Yara Connector pulls a temporary copy of the new binary from the EDR servers.  
Component:  /var/cb/data/modulestore/

4. The binaries are analyzed against the Yara rules and recorded in Yara Connector’s Sqlite database.   
Component:  /var/cb/data/cb-yara-connector/feed_db/binary.db.   The binary.db-wal and binary.db-shm are helper files for binary.db.

5. If a binary matches a Yara rule, the information is stored in the Yara Connector’s JSON file.
Component: /var/cb/data/cb-yara-connector/feed.json

6. Every hour, Yara Connector performs an incremental synchronization between feed.json and Solr data.  A complete synchronization occurs daily.  Incremental and complete synchronizations can occur on demand from the Yara Feed tile.
Component: /var/cb/data/solr/   

7. The EDR Console uses API calls against the Solr data to extract the Yara alerts in Notifications, Process Searches and Yara Threat Reports.

Related Content

Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Creation Date: