About YARA scan in Kaspersky Endpoint Agent

YARA scan is a process performed by Kaspersky Endpoint Agent to search for malicious activity signatures on devices using YARA files (signature files of the open YARA standard). Scan is performed recursively on local drives. Scan is not supported for network, connected and cloud resources.

Kaspersky Endpoint Agent supports the following types of YARA scan:

The scan types differ by the management capabilities and configurable settings. The YARA scan types are described in the following table.

YARA scan types

Scan type

Description

YARA files scan using the command line

The scan is started manually using the command line interface, without integration with the third-party systems.

YARA files prepared by the user are used to run the scan.

Scan settings do not depend on the policy settings.

The scan results are available immediately after scan is completed in the command line.

YARA scan by the YARA files downloaded manually via Kaspersky Anti Targeted Attack Platform web interface

IOC files are downloaded manually via Kaspersky Anti Targeted Attack Platform web interface. It is also possible to configure YARA scan schedule for computers with Kaspersky Endpoint Agent in the web interface of Kaspersky Anti Targeted Attack Platform.

Scan cannot be managed using the command line.

There are no automatic actions when YARA rules are triggered.

Scan settings do not depend on Kaspersky Endpoint Agent policies.

For detailed information about this type of scan, refer to Kaspersky Anti Targeted Attack Platform Help.

Page top