Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hey folks, I was wondering whether `read_max` applies to all interactions that `osqueryd` may have with a given file - such as hashing, and on-demand yara scans ( triggered via snapshot queries)?

I'd have to check the source code to be sure, but I think yes for hashing and I'm unsure about yara

Yara is not limited by that, since it reads files on its own

`read_max` also doesn't apply to the `ssdeep` column(s) in the hash table

If I'm joining on the table, and explicitly only pulling certain fields, will `ssdeep` and friends still be computed? As an example:

```...
hash.md5 as md5, hash.sha1 as sha1, hash.sha256 as sha256 FROM processes JOIN hash USING
...```

For context, `read_max` applies in places osquery reads the content of a file. In places where it’s passing a filename to some other library, that library may read the whole thing.

I’m not sure why anyone would know which hashing functions come out of which places. But it maybe helps understand why a join would be fine