Hey folks, I was wondering whether

read_max

applies to all interactions that

osqueryd

may have with a given file - such as hashing, and on-demand yara scans ( triggered via snapshot queries)?

I'd have to check the source code to be sure, but I think yes for hashing and I'm unsure about yara

Yara is not limited by that, since it reads files on its own

Thanks for confirming!

read_max

also doesn't apply to the

ssdeep

column(s) in the hash table

If I'm joining on the table, and explicitly only pulling certain fields, will

ssdeep

and friends still be computed? As an example:

...
hash.md5 as md5, hash.sha1 as sha1, hash.sha256 as sha256 FROM processes JOIN hash USING
...

it should not..

Thanks for your help, folks 😄

For context,

read_max

applies in places osquery reads the content of a file. In places where it’s passing a filename to some other library, that library may read the whole thing. I’m not sure why anyone would know which hashing functions come out of which places. But it maybe helps understand why a join would be fine

Gotcha, that makes sense!