EDR: Yara is Not Alerting On Expected Binary

By CB_Support posted Mar 29, 2023 01:14 PM

Recommend

Environment

Carbon Black EDR: All Versions
Yara Connector: All Versions

Symptoms

Yara is not alerting on a binary that matches the rule

Cause

Binary is not doing anything interesting outside of modload and is being suppressed

Resolution

By default sensor groups are set to "Recommended" retention. With this setting, binaries executed that do nothing more than modloads will not have their own process document (still searchable by cmdline or childproc via the parent document). If the binary in question is being suppressed, the product will not alert on the binary based on the yara feed.

For example, double clicking a process and closing shortly after may result in no alert if the process did nothing interesting. If the same process was opened, then a netconn for example was generated, an alert will come in for the match against Yara.

Additional Notes

VMware Carbon Black support does not assist with writing Yara rules. Please utilize the user exchange for assistance with rule syntax.
Setting the retention setting to "Minimal" will alert anytime that process is executed, however this reduces the amount of stored event days in order to hold the individual process documents for those children.
The Yara connector itself is not responsible for the alerting, it scans the storefiles table in postgres for matches to the yara rule, then writes a new report to /var/cb/data/cb-yara-connector/feed.json, which is ingested every 1 hour during incremental feed sync. You can verify the report exists by searching in the feed on the Threat Intelligence page, or by running this command on the backend.
```
curl 'http://localhost:8080/solr/cbfeeds/select?q=id:"binary_<md5 hash lower case here>"'
```

Blog Viewer