This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.
YARA scanning of the autorun points is a process that you can create and configure manually using the command line interface. YARA files are used to run the scan.
Only the files with YARA rules can be specified in the YARA Scan task for autorun point objects. Files with other types of rules are not supported for the YARA Scan task.
By default, scanning of objects according to YARA rules is performed for the following types of autorun points:
To run YARA scanning of the autorun points using the command line interface:
cd
command, navigate to the folder where the Agent.exe file is located.For example, you can type the following command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\"
and press Enter.
agent.exe --scan-yara [<
path the yara file>] [--path=<
path to the folder with the yara rules
>] --scan-autoruns=yes [--fast-scan] [--tag-hint=<<rule tag
>] [--id-hint=<
rule ID>] [--max-rules=<
maximum number of scan rules
>] [--timeout=<stop scan after the specified time in seconds
>] [--max-size=<
file size in bytes>] [--exclude-autoruns=COM]
If the --scan-yara
--scan-autoruns
command is passed only with the required parameters, Kaspersky Endpoint Agent performs scanning with the default settings.
The scan parameters are described in the following table.
Command parameters when starting and configuring YARA scan
Parameters |
Description |
|
Required parameter. Starts YARA scan for the autorun point files on the device. The scan is performed according to the rules in the YARA files with the yara or yar extension. |
|
Path to the folder with the YARA files that you want to use to search for autorun point files. |
|
Required parameter. The parameter accesses autorun points and scans objects for all types of autorun points according to the specified YARA rules. |
|
Optional parameter. |
|
Optional parameter. |
|
Optional parameter. |
|
Optional parameter. |
|
Optional parameter. |
|
Optional parameter. |
|
Optional parameter. The resulting lists of autorun points for COM objects may not contain component builds developed using .NET due to the special aspects of their registration in the system. |
Return codes of the --scan-yara
command:
-1
– command is not supported by Kaspersky Endpoint Agent version installed on the device.0
– command successfully executed.1
– required argument is not passed to the command.2
– general error.4
– syntax error.5
– one or more files with YARA rules specified as the parameter value not found. If the command execution completed successfully (code 0
) and indicators of compromise were detected during the command execution, Kaspersky Endpoint Agent displays the scan results in the command line. The scan results are described in the following table:
Data displayed by the application in the command line when YARA signatures are detected.
|
Offset in the object scanned by Kaspersky Endpoint Agent. |
|
Signatures searched by Kaspersky Endpoint Agent during scanning. |
|
The name of the scanned object. |
|
The name of the rule used during scan. |