About YARA scan in Kaspersky Endpoint Agent
YARA scan is a process performed by Kaspersky Endpoint Agent to search for malicious activity signatures on devices using YARA files (signature files of the open YARA standard). Scan is performed recursively on local drives. Scan is not supported for network, connected and cloud resources.
Kaspersky Endpoint Agent supports the following types of YARA scan:
- YARA files scan using the command line – group or local tasks that are created and configured using the command line interface. YARA files prepared by the user are used to run the tasks.
- YARA scan by the files downloaded manually via Kaspersky Anti Targeted Attack Platform web interface allows application users to use YARA files to search for signs of targeted attacks, infected and probably infected objects in the event and detection database, and to scan computers with Kaspersky Endpoint Agent installed.
The scan types differ by the management capabilities and configurable settings. The YARA scan types are described in the following table.
YARA scan types
Scan type |
Description |
|---|---|
YARA files scan using the command line |
The scan is started manually using the command line interface, without integration with the third-party systems. YARA files prepared by the user are used to run the scan. Scan settings do not depend on the policy settings. The scan results are available immediately after scan is completed in the command line. |
YARA scan by the YARA files downloaded manually via Kaspersky Anti Targeted Attack Platform web interface |
IOC files are downloaded manually via Kaspersky Anti Targeted Attack Platform web interface. It is also possible to configure YARA scan schedule for computers with Kaspersky Endpoint Agent in the web interface of Kaspersky Anti Targeted Attack Platform. Scan cannot be managed using the command line. There are no automatic actions when YARA rules are triggered. Scan settings do not depend on Kaspersky Endpoint Agent policies. |