Hey folks I was wondering whether `read max` applies to all

Question

Hey folks I was wondering whether `read max` applies to all interactions that `osqueryd` may have with a given file such as hashing and on demand yara scans triggered via snapshot queries

seph · Answer

I d have to check the source code to be sure but I think yes for hashing and I m unsure about yara

Stefano Bonicatti · Answer

Yara is not limited by that since it reads files on its own

Peter · Answer

Thanks for confirming

sharvil · Answer

`read max` also doesn t apply to the `ssdeep` column s in the hash table

Peter · Answer

If I m joining on the table and explicitly only pulling certain fields will `ssdeep` and friends still be computed As an example ``` hash md5 as md5 hash sha1 as sha1 hash sha256 as sha256 FROM processes JOIN hash USING ```

sharvil · Answer

it should not

Peter · Answer

Thanks for your help folks smile

seph · Answer

For context `read max` applies in places osquery reads the content of a file In places where it s passing a filename to some other library that library may read the whole thing I m not sure why anyone would know which hashing functions come out of which places But it maybe helps understand why a join would be fine

Peter · Answer

Gotcha that makes sense