Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Modulestore Filling Disk When Alliance Sharing Is Disabled

EDR: Modulestore Filling Disk When Alliance Sharing Is Disabled

Environment

  • EDR Server: All versions

Symptoms

Modulestore is taking up a large portion of /var/cb/data:

du -h /var/cb/data --max-depth=1

Cause

This will occur if alliance sharing is disabled and a modulestore cron job is not in place.

Resolution

One or more of the following options will need to be put in place
  1. Enable Binary sharing with Alliance
  2. Enable cbmodule purge: How To Enable Automated Cbmodule Purging
  3. Disable modulestore collection under sensor group settings
  4. Increase disk size

Additional Notes


Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
1520
Contributors