Troubleshooting / FAQ¶

How long does it take a file to be analyzed?¶

Under normal operation, the analysis is usually finished within 1-2 minutes after being uploaded to the S3 bucket.

What’s the filesize limit?¶

The limiting factor is the space Lambda allocates for “/tmp”, i.e. 512 MB. If you use the downloader, note that CarbonBlack automatically truncates files to 25 MB.

YARA rules with “hash” or “imphash” fail to compile¶

If the openssl development libraries aren’t on your system when installing YARA, the hash module won’t work (example). Be sure to follow instructions for Installing Dependencies.

How much does BinaryAlert cost?¶

The two biggest costs are the S3 storage and Lambda invocations, so it will depend on how many files you have and how often you re-analyze all of them, but generally no more than a few hundred dollars per month for several TB worth of files.

Does BinaryAlert automatically test YARA rules?¶

BinaryAlert ensures that the YARA rules compile correctly before every deploy, but it does not verify that YARA rules match any particular files. However, you can test your rules locally.

Why did my live test fail?¶

Check the Lambda execution logs and the BinaryAlert dashboard for abnormalities. A common problem is that the BinaryAlert analyzers don’t understand the compiled YARA rules file. Make sure your virtual environment is set up correctly with the same YARA version and that your YARA rules only use the supported modules.

It may take 1-3 minutes after a deploy before the Lambda functions are ready to go. If a live test fails immediately after a deploy, wait a few minutes and try again.

Finally, if BinaryAlert is in the middle of a retroactive scan, the analysis queue may be backlogged.

How do I setup YARA match / metric alarm alerts?¶

You have to add a subscription to the generated SNS topic.

Analyzer timeouts¶

Analyzers can sometimes time out while downloading files from S3. If the analyzers are timing out during a retroactive scan, you can lower the objects_per_retro_message configuration option in terraform/terraform.tfvars.

Terraform destroy fails because “bucket is not empty”¶

By default, BinaryAlert S3 buckets can’t be deleted until they are empty. ./manage.py destroy will ask if you want to override this setting. See the teardown documentation for more information.

Contact Us¶

If your question wasn’t answered here, feel free to open an issue or ping us on Slack!