If you want a YARA rule to no longer be effective, you can either disable it, which leaves it in the table of YARA rules, or delete it from the table. In either case, the YARA rule will not affect newly discovered files. You cannot disable or delete pre-configured YARA rules.

Prerequisites

For a YARA rule where the Namespace is defined as IsInteresting, when you disable the rule, any files that were assigned tags while the rule was effective continue to be tracked by Carbon Black App Control and retain the tags. This prevents loss of information if an action such as a rule change is taken accidentally.

For a YARA rule where the Namespace is defined as Classification, when you disable the rule, any files that were assigned tags while the rule was effective will retain the tags until the file is rescanned. This prevents loss of information if an action such as a rule change is taken accidentally.

Tip: If you think you might use a YARA rule again, disable it instead of deleting it.

When you delete a YARA rule it is removed permanently. Any files that were assigned tags will retain them.

Note: Upon installation of the Windows Agent 8.8.0 (and thereafter), when you delete or disable a YARA rule, the tags are not retained.

Procedure

  1. On the console menu, navigate to the Rules > Software Rules page.
  2. Click the YARA tab and locate the rule that you want to disable or delete in the table on the YARA Rule page.
  3. Do one of the following actions:
    • To disable the YARA rule, click the View Details icon on the left of the rule in the table. On the Edit YARA Rule page, click Disabled, and click Save & Exit.
    • To delete the YARA rule, click the Delete icon on the left of the rule in the table, and click OK to confirm.

Results

If you disabled the YARA rule, its status is shown as disabled in the table on the YARA Rule page. If you deleted the YARA rule, it is no longer listed on the YARA Rule page.