Requirements for YARA files

When performing a YARA scan, consider the following requirements and limitations related to YARA files:

YARA files are the files with the yara or yar extension that contain YARA rules.

YARA rules are the descriptions of signatures for targeted attacks and intrusions into the organization's IT infrastructure. Kaspersky Endpoint Agent scans the objects according to these rules. If the rule is executed, the analyzer issues an infection verdict with the corresponding details in the log.

• Kaspersky Endpoint Agent supports YARA files with the yara and yar extensions. These files use an open standard for compromise indicator description – YARA version 4.0.2.
• Only the files with YARA rules can be specified for the YARA Scan task. Files with other types of rules are not supported for the YARA Scan task.
• If during scanning you download YARA files that are not supported by Kaspersky Endpoint Agent or contain syntax errors, the scan start will be terminated and the corresponding error message will be displayed.
• Identifiers of all YARA files that are used in the same YARA Scan task must be unique. The presence of YARA files with the same identifier can affect the correctness of the task execution results.

It is recommended to create one rule in one YARA file. This approach makes the scan results easier to read.