Creating a task to scan hosts using YARA rules

You can scan Kaspersky Endpoint Agent for Windows hosts using YARA rules.

To create a task for scanning Kaspersky Endpoint Agent for Windows hosts using YARA rules:

Select the Tasks section in the program web interface window.
This opens the task table.
Click Add and select Start YARA scan.
This opens the task creation window.
Configure the following settings:
1. Select rules is the name of the rule. You can enter the name of the rule or a sequence of characters from the name of the rule, then select the rule in the list.
  You can add multiple rules.
2. Scan is the scan scope. Select one of the following options:
  - RAM if you want to scan processes that are running at the time of the task execution.
    The program does not scan processes with a low priority.
  - Specified folders if you want to scan files that are located in a specified folder and all its nested folders at the time of the task execution.
  - All local disks if you want to scan files stored in all folders on local disks at the time of the task execution.
    Scanning all local disks can cause high load on the host.
3. If you selected RAM:
  - In the Processes field, you can enter short names of processes or a mask of files that you want to scan.
    If multiple processes with identical names are running on the host, the program scans all such processes.
    
    If the Processes field is left blank, the program scans all processes that were running at the time of the task execution, except processes with PID under 10 and processes listed in the Exclusions field.
  - In the Exclusions field, you can enter short names of processes or a mask of files that you want to exclude from scanning.
    If multiple processes with identical names are running on the host, the program excludes all such processes from scanning.
4. If you selected Specified folders:
  - In the Specified folders field, enter the full path to folders, name or mask of files that you want to scan (for example, C:\Users\User1\Documents\* or C:\Program files\*.exe).
  - In the Exclusions field, you can enter the full path to folders, name or mask files that you want to exclude from scanning.
5. Maximum scan duration is the maximum scan duration.
  When this time elapses, the scan is stopped even if some rules were not applied to scan the hosts. The task report contains results that are up-to-date at the moment when the scan was stopped.
6. Description—Task description. This field is optional.
7. Task for—Task scope:
  - If you want to run the task on all hosts of all servers, select the All hosts option.
  - If you want to run the task on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to run the task.
    This option is available only when distributed solution and multitenancy mode is enabled.
    
    Operation mode in which the program can be used to protect the infrastructure of several organizations simultaneously.
  - If you want to run the task on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.
The task of scanning Kaspersky Endpoint Agent hosts by YARA rules can only be assigned to hosts with Kaspersky Endpoint Agent for Windows 3.12 and higher. If you simultaneously assign a task to hosts with Kaspersky Endpoint Agent 3.12 and earlier versions of the program, the task is executed only on hosts with Kaspersky Endpoint Agent 3.12.

Task creation is complete. The task runs automatically after it is created.

If the scan detects any threats, Kaspersky Anti Targeted Attack Platform creates corresponding alerts.

Users with the Security auditor role cannot create a task to scan Kaspersky Endpoint Agent for Windows hosts by YARA rules.

Users with the Security officer role do not have access to tasks.