Troubleshooting / FAQ¶
How long does it take a file to be analyzed?¶
Under normal operation, the analysis is usually finished within 1-2 minutes after being uploaded to the S3 bucket.
What’s the filesize limit?¶
YARA rules with “hash” or “imphash” fail to compile¶
How much does BinaryAlert cost?¶
The two biggest costs are the S3 storage and Lambda invocations, so it will depend on how many files you have and how often you re-analyze all of them. A rough estimate at current rates is $0.057 / GB / month.
Does BinaryAlert automatically test YARA rules?¶
BinaryAlert ensures that the YARA rules compile correctly before every deploy, but it does not verify that YARA rules match any particular files. However, you can test your rules locally.
Why did my live test fail?¶
Check the Lambda execution logs and the BinaryAlert dashboard for abnormalities. A common problem is that the BinaryAlert analyzers don’t understand the compiled YARA rules file. Make sure your virtual environment is set up correctly and that your YARA rules only use the supported modules. It is also possible that one or more AWS components might be down.
It may take 1-3 minutes after a deploy before the Lambda functions are ready to go. If a live test fails immediately after a deploy, wait a few minutes and try again.
How do I setup YARA match / metric alarm alerts?¶
You have to add a subscription to the generated SNS topic.
Analyzers can sometimes time out while downloading files from S3. If the analyzers are timing out during a retroactive (batch) analysis, you can lower the
lambda_batch_objects_per_message configuration option in
Why are there regular downloader errors?¶
The CarbonBlack server can sometimes take several minutes before binaries and their metadata are available.
Terraform destroy fails because “bucket is not empty”¶
By default, BinaryAlert S3 buckets can’t be deleted until they are empty.
will ask if you want to override this setting. See the teardown documentation.