logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How To Purge Modulestore Binary Files

EDR: How To Purge Modulestore Binary Files

Environment

  • EDR: 5.x and higher

Objective

To manually remove the modulestore binary files from an EDR server or cluster.  

Resolution

  1. Log onto the CLI of the EDR server. For a cluster, log into each minion server. 
  2. Determine the MaxEventStoreDays setting in /etc/cb/cb.conf as a starting point to purge to: 
    # grep MaxEventStoreDays /etc/cb/cb.conf
  3. Get the list of which binaries will be removed: 
    # find /var/cb/data/modulestore -name "*.zip" -type f -mtime +XX &> /tmp/ls_purge_binary.txt
(Alternately, confirm by printing to the screen the filenames and dates.)
# find /var/cb/data/modulestore -name "*.zip" -type f -mtime +XX -printf "%s %n %t\n"
  4. Run the following replacing XX with MaxEventStoreDays results: 
    Warning: Verify your system time before running this command
find /var/cb/data/modulestore -name "*.zip" -type f -mtime +XX -delete

Additional Notes

  • Binaries uploaded from Sensors to the EDR cluster are located inside /var/cb/data/modulestore/
  • These steps will irrecoverably remove data from the EDR server. After removing this data, attempting to download this binary from the binary details page will result in a 404.

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Author:
CB_Support
Creation Date:
‎09-09-2020
Views:
3717
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.