Managing file and process scanning in accordance with YARA rules

This section provides information about Kaspersky Endpoint Agent for Windows. This information may be partially or wholly inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, see the online help of the solution in which you are using the program: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

YARA scanning constitutes processes that you can manually create and configure using the command line interface. The scan is started using YARA files.

In the YARA scan task, you can only specify a file with YARA rules. Files containing rules of other types are not supported by YARA scan tasks.

To run a YARA scan using the command line interface:

On the device, run the command line interpreter (for example, Command Prompt cmd.exe) as the local administrator.
Use the cd command to go to the folder that contains the agent.exe file.
For example, you can enter the command: cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press Enter.
Enter the following command and press Enter:
agent.exe --scan-yara [<path to the yara file>] [--path=<path to the file with yara rules>] [--fast-scan] [--tag-hint=<rule tag>] [--id-hint=<rule id>] [--max-rules=<maximum number of scanning rules>] [--timeout=<stop the scan after this time in seconds>] [--recursive] [--scan_folders [<list of folders to scan>] [--scan-memory] [--scan-process <process name>][--max-size=<file size in bytes>] [--excludes <lost of objects to scan>] [--includes <list of objects to scan>]

If the --scan-yara command has only required options, Kaspersky Endpoint Agent performs the scan with default settings.

Scan parameters are described in the following table.

Command parameters for starting and configuring a YARA scan

Settings	Description
`--scan-yara [<full path to the yara file>]`	Required parameter. Runs the YARA on the device. The scan is performed using rules from YARA files with the "yara" or "yar" extension. Multiple space-separated values can be passed to a parameter. At least one <`full path to yara file`> value must be specified if the --path parameter is not set. If the --path parameter is also specified in addition to arguments of the --scan-yara parameter, the scan uses both the YARA files specified in arguments and files from the --path folder.
`--path=<path to folder with yara files>`	Path to a folder containing YARA files that must be used by the scan. Required parameter if the `<full path to yara file>` parameter is not specified.
`--fast-scan`	Optional parameter. Runs the scan in fast scan mode. For each scanned object, one occurrence of a detected marker is logged, and duplicates of detected markers are not logged. This parameter lets you scan big files quicker. If this parameter is not specified, a standard scan is performed, and duplicates of detected markers are logged.
`--tag-hint=<rule tag>`	Optional parameter. This parameter lets the scan take into account only rules with the specified tag. Only one value can be specified for this parameter. Rules that do not have tags or have tags other than the tags passed in the parameter, are skipped by the scan. If the parameter is not specified, all rules are considered by the scan.
`--id-hint=<rule id>`	Optional parameter. This parameter lets the scan take into account only rules with the specified ID. Only one value can be specified for this parameter. Rules that do not have IDs or have IDs other than the IDs passed in the parameter, are skipped by the scan. If the parameter is not specified, all rules are considered by the scan.
`--max-rules=<maximum number of scanning rules>`	Optional parameter. The parameter sets a limit of unique triggered detection rules that, when exceeded, causes the scan to stop. If the value of the parameter is not set or is set to 0, the scan runs without limitations.
`--timeout=<stop the scan after this time in seconds>`	Optional parameter. This parameter sets the duration of the scan in seconds. After the specified time, the scan is stopped. If the value of the parameter is not set or is set to 0, the scan runs without limitations.
`--recursive`	Optional parameter. This parameter runs a recursive scan of nested folders within the [<list of folders to scan>] scope.
`--scan_folders [<list of folders to scan>]` In addition, you can use arguments of `--scan-folders`, `--excludes`, `--includes` parameters to specify links to argument files using the "`@`" prefix. Argument files are text files in UTF-8 encoding that contain lists of objects to be processed using the corresponding parameter on the command line. Example: The my_rules.txt file contains two lines: c:\trusted\. .abc The rules2.txt file contains one line: img_.jpg If the scan is run with parameters like "`--scan-folders --exclude .txt @my_rules.txt .xml @rules2.txt`", all files on all disks are scanned, excluding files with the "`txt`" extension, files in the "`c:\trusted`" folder, files with the "`abc`" extension, files with the "`xml`" extension, and files matching the "`img_*.jpg`" mask.	Optional parameter. This parameter runs a file scan on the specified list of folders. If the <`list of folders to scan`> parameter is not set, the scan is performed recursively on all local disks except network shares, cloud and removable drives.
`--scan-memory`	Optional parameter. This parameter runs a memory scan for all running processes.
`--scan-process <process name>`	Optional parameter. This parameter runs a memory scan for specified processes only. For the <`process name`> value, you can use standard "`?`" and "`*`" masks.
`--max-size=<file size in bytes>`	Optional parameter. The scan only looks at files that are smaller than the specified value. Bigger files are skipped.
`--includes <list of objects to scan>`	Optional parameter. This parameter lets you limit the scope of the scan. You can enter multiple space separated values. Possible values: File name. Path to the file. File name mask. File path mask. Passed with the --scan-folders parameter. Example: --scan-folders c:\. --recursive --includes .exe c:\temp\.* *.dll means the scan will look at all files with "exe" and "dll" on disk С:, also all files in c:\temp will be scanned recursively
`--excludes <list of objects to scan>`	Optional parameter. This parameter excludes the specified files or folders from scanning. You can enter multiple space separated values. Possible values: File name. Path to the file. File name mask. File path mask. Passed with the --scan-folders parameter. Example: --scan-folders c:\. --excludes readme.txt c:\trusted\. *.xml means the scan will readme.txt files, all files in the c:\trusted folder, as well as all files with the xml extension in the root folder of disk C:.

Return codes of the --scan-yara command:

-1 means the command is not supported by the version of Kaspersky Endpoint Agent that is installed on the device.
0 means the command was executed successfully.
1 means a required argument was not passed to the command.
2 stands for general error.
4 stands for syntax error.
5 means one or more files with YARA rules among files specified in the parameter value were not found.

If the command is executed successfully (code 0) and indicators of compromise are detected as a result, Kaspersky Endpoint Agent outputs scan results on the command line. Scan results are described in the following table.

Information that the program outputs on the command line when YARA signatures are detected.

`Offset`	Offset in the object scanned by Kaspersky Endpoint Agent.
`Data`	Signatures that Kaspersky Endpoint Agent looks for when scanning.
`Object Name`	Name of the scanned object.
`Rule Name`	Name of the rule used for scanning.

Page top