Tweak your scan

EMBA includes a lot of configuration possibilities to tweak your firmware analysis procedure. In the following article we try to summarize some of them.

Blacklist modules

Some modules are running quite long and/or produce so much data that someone probably does not want to run them. EMBA has the possibilities to blacklist some module in the file ./config/module_blacklist.txt. To blacklist a module just add the basename of the module (without the fileending .sh) to the configuration file. This could result in the following settings:

┌──(m1k3㉿emba)-[~/github-repos/emba_forked]
└─$ cat config/module_blacklist.txt
S110_yara_check
S99_grepit

To verify the new settings you can start a new EMBA scan. In the main log file (emba.log) the following entries are shown:

xxx

Blacklist and whitelist CVEs

Override thread and module in parallel settings

EMBA tries to automatically identify how many cores your host has and calculates the maximum modules in parallel and maximum threads (within a module) in parallel. The identified settings are shown in the beginning of a firmware test:

Especially if your system is running into resource issues you are able to tweak these settings with the following command line options:

-P                Overwrite auto MAX_MODS (maximum modules in parallel) configuration
-T                Overwrite auto MAX_MOD_THREADS (maximum threads per module) configuration

Skip cve-search check during the firmware testing process

EMBA performs regular tests that the CVE-search environment is available and fully working. Sometimes this is not needed and can be disabled with the following command line options:

-j                No check for cve-search

This setting also speeds up the initial startup process. WARNING: If the cve-search environment is not fully working EMBA is not able to detect it. This could result in incomplete scanning results.

Write your profiles