logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Yara is Not Alerting On Expected Binary

EDR: Yara is Not Alerting On Expected Binary

Environment

  • Carbon Black EDR: All Versions
  • Yara Connector: All Versions

Symptoms

Yara is not alerting on a binary that matches the rule

Cause

Binary is not doing anything interesting outside of modload and is being suppressed

Resolution

By default sensor groups are set to "Recommended" retention. With this setting, binaries executed that do nothing more than modloads will not have their own process document (still searchable by cmdline or childproc via the parent document). If the binary in question is being suppressed, the product will not alert on the binary based on the yara feed. 

For example, double clicking a process and closing shortly after may result in no alert if the process did nothing interesting. If the same process was opened, then a netconn for example was generated, an alert will come in for the match against Yara.

Additional Notes

  • VMware Carbon Black support does not assist with writing Yara rules. Please utilize the user exchange for assistance with rule syntax.
  • Setting the retention setting to "Minimal" will alert anytime that process is executed, however this reduces the amount of stored event days in order to hold the individual process documents for those children. 
  • The Yara connector itself is not responsible for the alerting, it scans the storefiles table in postgres for matches to the yara rule, then writes a new report to /var/cb/data/cb-yara-connector/feed.json, which is ingested every 1 hour during incremental feed sync. You can verify the report exists by searching in the feed on the Threat Intelligence page, or by running this command on the backend. 
    curl 'http://localhost:8080/solr/cbfeeds/select?q=id:"binary_<md5 hash lower case here>"'

Related Content


Labels (2)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎03-29-2023
Views:
307
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.