Some Binary Search fields can be used as part of a Process Search query.
For more information, see Fields in Process and Binary Searches.
In this case, the results returned are process instances that are backed by binaries that match the binary search criteria. This is called a joined search. For example, consider submitting the following query on the Process Search page:
digsig_result:Unsigned
This query returns all process instances that are backed by an unsigned MD5. By default, join searches are performed against the MD5 of the standalone process executable (process_md5). However, joined searches can also be performed against the MD5 of the following related events:
filewrites = <binary field>_filewriteparent processes = <binary_field>_parentchild processes = <binary_field>_childmodloads = <binary_field>_modload
Specify the search by adding the following suffixes to the end of the binary search field:
filewriteparentchildmodload
For example:
digsig_result_modload:Unsigned
This query returns all process instances that have loaded an unsigned module.
Process searches involving large binary joins are blocked by default beginning in Carbon Black EDR version 6.2.3. See Managing High-Impact Queries to modify this behavior.
