Environment
- EDR Server: All Supported Versions
- EDR Yara-Connector: 2.x
Objective
When adding a new Yara rule to the cb-yara-connector, it does not retroactively scan binaries.
Resolution
- This is expected and by design, as a full modulestore/binary scan can be expensive on resources.
- To re-scan the binaries against all rules, including new ones:
- The cb-yara-connector database can be reset using the cb-yara-manager UI via the Reset DB button:
- This can also be reset by removing or backing up the cb-yara-connector database and restarting the cb-yara-connector service:
- The cb-yara-connector database can be reset using the cb-yara-manager UI via the Reset DB button:
rm /var/cb/data/cb-yara-connector/feed_db/binary.db systemctl restart cb-yara-connector
- Note: this will initiate a re-scan of the modulestore.
Thank you for your feedback.
Your feedback has been submitted and will be reviewed.