Managing scanning of files and processes according to YARA rules

This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

YARA scan is a process that you can create and configure manually using the command line interface. YARA files are used to run the scan.

Only the files with YARA rules can be specified for the YARA Scan task. Files with other types of rules are not supported for the YARA Scan task.

To run YARA scan using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, you can type the following command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press Enter.

  3. Run the following command and press Enter:

    agent.exe --scan-yara [<path the yara file>] [--path=<path to the folder with the yara rules>] [--fast-scan] [--tag-hint=<rule tag>] [--id-hint=<rule ID>] [--max-rules=<maximum number of scan rules>] [--timeout=<stop scan after the specified time in seconds>] [--recursive] [--scan_folders [<list of folders to be scanned>] [--scan-memory] [--scan-process <process name>][--max-size=<file size in bytes>] [--excludes <list of objects to be scanned>] [--includes <list of objects to be scanned>]

    If the --scan-yara command is passed only with the required parameters, Kaspersky Endpoint Agent performs scanning with the default settings.

The scan parameters are described in the following table.

Command parameters when starting and configuring YARA scan

Parameters

Description

--scan-yara [<full path the yara file>]

Required parameter.

Starts YARA scan on the device. The scan is performed according to the rules in the YARA files with the yara or yar extension.

Several values separated by space can be passed to the parameter.

At least one <full path to the yara file> value must be specified if the --path parameter is not specified.

If the --path parameter is also specified in addition to the arguments of the --scan-yara parameter, the scan uses both the files with the YARA rules specified as the arguments and the files from the folder specified by the --path parameter.

--path=<path to the folder with the yara files>

Path to the folder with the YARA files that you want to scan.

Required parameter, if the <full path the yara file> parameter is not specified.

--fast-scan

Optional parameter.

The parameter starts the fast scan mode. For each scan object, one occurrence of the detected marker is logged, and duplicates of the detected markers are not logged. Usage of this parameter allows you to reduce the time for scanning large files.

If the parameter is not passed, standard scan is performed and the duplicates of detected markers are logged.

--tag-hint=<rule tag>

Optional parameter.

The parameter allows considering only the rules with the specified tag during scan. You can specify only one parameter value.
Rules without tags or with tags other than those specified as the parameter value are ignored during scan.

If the parameter is not passed, all the rules are considered during scan.

--id-hint=<rule ID>

Optional parameter.

The parameter allows considering only the rules with the specified ID during scan. You can specify only one parameter value.
Rules without IDs or with IDs other than those specified as the parameter value are ignored during scan.

If the parameter is not passed, all the rules are considered during scan.

--max-rules=<maximum number of scan rules>

Optional parameter.

The parameter sets the limit of unique triggered detection rules; scan stops upon exceeding this limit.

If the parameter value is not specified or equals to 0, the scan is performed without limitations.

--timeout=<stop scan after the specified time in seconds>

Optional parameter.

The parameter specifies the scan duration in seconds. The scan will be stopped after the specified time.

If the parameter value is not specified or equals to 0, the scan is performed without limitations.

--recursive

Optional parameter.

The parameter starts recursive scan of subfolders within the [<list of folders to be scanned>] value.

--scan_folders [<list of folders to be scanned>]

Optional parameter.

The parameter starts scanning of files in the specified list of folders.

If the value of the <list of folders to be scanned> parameter is not specified, scan is performed recursively for all local drives, except for network, cloud and connected drives.

--scan-memory

Optional parameter.

The parameter starts memory scan for all running processes.

--scan-process <process name>

Optional parameter.

The parameter starts memory scan only for specified processes. Standard masks are supported for the <process name> value: "?" and "*".

--max-size=<file size in bytes>

Optional parameter.

Scan is performed only for the files that do not exceed the specified size. Larger files are skipped during scan.

--includes <list of objects to be scanned>

Optional parameter.

The parameter allows you to limit the scan area. You can specify several parameter values separated by a space. Available values:

  • File name
  • File path
  • File name mask
  • File path mask

    Passed with the --scan-folders parameter.

    Example:
    --scan-folders c:\*.* --recursive --includes *.exe c:\temp\*.* *.dll – scan is performed for all files with the "exe" and "dll" extensions on the C: drive, and all files in the c:\temp folder will be scanned recursively.

--excludes <list of objects to be scanned>

Optional parameter.

The parameter excludes the specified files or folders from scan. You can specify several parameter values separated by a space. Available values:

  • File name
  • File path
  • File name mask
  • File path mask

    Passed with the --scan-folders parameter.

    Example:
    --scan-folders c:\*.* --excludes readme.txt c:\trusted\*.* *.xml – the readme.txt files, all files from the c:\trusted folder, and all files with the xml extension in the root folder on the C: drive will be skipped during scan.

Return codes of the --scan-yara command:

If the command execution completed successfully (code 0) and indicators of compromise were detected during the command execution, Kaspersky Endpoint Agent displays the scan results in the command line. The scan results are described in the following table:

Data displayed by the application in the command line when YARA signatures are detected.

Offset

Offset in the object scanned by Kaspersky Endpoint Agent.

Data

Signatures searched by Kaspersky Endpoint Agent during scanning.

Object Name

The name of the scanned object.

Rule Name

The name of the rule used during scan.

Page top