Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How To Purge Modulestore Binary Files

EDR: How To Purge Modulestore Binary Files


  • EDR: 5.x and higher


To manually remove the modulestore binary files from an EDR server or cluster.  


  1. Log onto the CLI of the EDR server. For a cluster, log into each minion server. 
  2. Determine the MaxEventStoreDays setting in /etc/cb/cb.conf as a starting point to purge to:
    # grep MaxEventStoreDays /etc/cb/cb.conf
  3. Get the list of which binaries will be removed:
    # find /var/cb/data/modulestore -name "*.zip" -type f -mtime +XX &> /tmp/ls_purge_binary.txt
  4. Run the following replacing XX with MaxEventStoreDays results:
    Warning: Verify your system time before running this command
    find /var/cb/data/modulestore -name "*.zip" -type f -mtime +XX -delete

Additional Notes

  • Binaries uploaded from Sensors to the EDR cluster are located inside /var/cb/data/modulestore/
  • These steps will irrecoverably remove data from the EDR server. After removing this data, attempting to download this binary from the binary details page will result in a 404.

Related Content

Labels (1)
Tags (2)
Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Creation Date: