You can scan Kaspersky Endpoint Agent for Windows hosts using YARA rules. To do so, you must create a Start YARA scan task. You can create the task:
In this case, when creating the task, you must select YARA rules that you want to use to scan hosts.
In this case, a task is created to scan hosts using selected YARA rules.
To create a task for scanning Kaspersky Endpoint Agent for Windows hosts using YARA rules in the Tasks section:
This opens the task table.
This opens the task creation window.
You can add multiple rules.
The program does not scan processes with a low priority.
Only available when integrated with Kaspersky Endpoint Agent 3.13 or later.
To have autorun points scanned, you must specify hosts for which the Get forensics was previously run.
Scanning all local disks can cause high load on the host.
The program scans all processes with identical names that are running on the host.
If the Processes field is left blank, the program scans all processes that were running at the time of the task execution, except processes with PID under 10 and processes listed in the Exclusions field.
If multiple processes with identical names are running on the host, the program excludes all such processes from scanning.
In this case, all autorun points are scanned, except COM objects.
In this case, all autorun points are scanned, as well as files involved with them.
When this time elapses, the scan is stopped even if some rules were not applied to scan the hosts. The task report contains results that are up-to-date at the moment when the scan was stopped.
This option is available only when distributed solution and multitenancy mode is enabled.
The task of scanning Kaspersky Endpoint Agent hosts by YARA rules can only be assigned to hosts with Kaspersky Endpoint Agent for Windows 3.12 and higher. If you simultaneously assign a task to hosts with Kaspersky Endpoint Agent 3.12 and earlier versions of the program, the task is executed only on hosts with Kaspersky Endpoint Agent 3.12.
To create a task for scanning Kaspersky Endpoint Agent for Windows hosts using YARA rules in the Custom rules section, YARA subsection:
A control panel appears in the lower part of the window.
Task creation is complete. The task runs automatically after it is created.
If the scan detects any threats, Kaspersky Anti Targeted Attack Platform creates corresponding alerts.
Users with the Security auditor role cannot create a task to scan Kaspersky Endpoint Agent for Windows hosts by YARA rules.
Users with the Security officer role do not have access to tasks.