Managing scanning of files and processes according to YARA rules

This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

YARA scanning is a process that you can create and configure manually using the command line interface. YARA files are used to run the scan.

Only the files with YARA rules can be specified for the YARA Scan task. Files with other types of rules are not supported for the YARA Scan task.

To run a YARA scan using the command line interface:

On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
Using the cd command, navigate to the folder where the Agent.exe file is located.
For example, you can type the following command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press Enter.
Run the following command and press Enter:
agent.exe --scan-yara [<path to the YARA file>] [--path=<path to the folder with YARA rules>] [--fast-scan] [--tag-hint=<tag rule>] [--id-hint=<rule ID>] [--max-rules=<maximum number of scan rules>] [--timeout=<stop scan after the specified time in seconds>] [--recursive] [--scan_folders [<list of folders to be scanned>] [--scan-memory] [--scan-process <process name>][--max-size=<file size in bytes>] [--excludes <list of objects to be scanned>] [--includes <list of objects to be scanned>]

If the --scan-yara command is passed with only the required parameters, Kaspersky Endpoint Agent will perform the scan with the default settings.

The scan parameters are described in the following table.

Command parameters when starting and configuring YARA scan

Parameters	Description
`--scan-yara [<full path to the YARA file>]`	Required parameter. Starts a YARA scan on the device. The scan is performed according to the rules in the YARA files with the yara or yar extension. Several values, separated by spaces, can be passed to the parameter. At least one `<full path to the yara file>` value must be specified if the --path parameter is not specified. If the --path parameter is also specified in addition to the arguments of the --scan-yara parameter, the scan uses both the files with the YARA rules specified as the arguments and the files from the folder specified by the --path parameter.
`--path=<pathpath to the folder with the YARA files>`	Path to the folder with the YARA files that you want to scan. Required parameter, if the `<full path to the YARA file>` parameter is not specified.
`--fast-scan`	Optional parameter. The parameter starts the fast scan mode. For each scan object, one occurrence of the detected marker is logged, and duplicates of the detected markers are not logged. Usage of this parameter allows you to reduce the time for scanning large files. If the parameter is not passed, a standard scan is performed and the duplicates of detected markers are logged.
`--tag-hint=<tag rule>`	Optional parameter. The parameter allows considering only the rules with the specified tag during scan. You can specify only one parameter value. Rules without tags or with tags other than those specified as the parameter value are ignored during scan. If the parameter is not passed, all the rules are considered during scan.
`--id-hint=<rulerule ID>`	Optional parameter. The parameter allows considering only the rules with the specified ID during scan. You can specify only one parameter value. Rules without IDs or with IDs other than those specified as the parameter value are ignored during scan. If the parameter is not passed, all the rules are considered during scan.
`--max-rules=<maximum number of scan rules>`	Optional parameter. The parameter sets the limit of unique triggered detection rules; scan stops upon exceeding this limit. If the parameter value is not specified or equals to 0, the scan is performed without limitations.
`--timeout=<stop scan after the specified time in seconds>`	Optional parameter. The parameter specifies the scan duration in seconds. The scan will be stopped after the specified time. If the parameter value is not specified or equals to 0, the scan is performed without limitations.
`--recursive`	Optional parameter. The parameter starts recursive scan of subfolders within the [<list of folders to be scanned>] value.
`--scan_folders [<list of folders to be scanned>]` Additionally, you can specify links to argument files with the "`@`" prefix as arguments of the `--scan-folders`, `--excludes`, and `--includes` parameters. Argument files are UTF-8 encoded text files that contain lists of objects to be processed using the appropriate command line parameter. Example: The my_rules.txt file contains two lines: c:\trusted\. .abc The rules2.txt file contains one line: img_.jpg If you run a scan with parameters like "`--scan-folders --exclude .txt @my_rules.txt .xml @rules2.txt`", all files on all disks will be scanned, except for files with the `txt` extension, files in the `c:\trusted` folder, files with the `abc` extension, files with the `xml` extension, and files with the `img_*.jpg` mask.	Optional parameter. This parameter starts a scan of the files in the specified list of folders. If the value of the <`list of folders to be scanned`> parameter is not specified, the scan is performed recursively for all local drives, except for network, cloud, and connected drives.
`--scan-memory`	Optional parameter. This parameter starts a memory scan for all running processes.
`--scan-process <process name>`	Optional parameter. This parameter starts a memory scan for only specified processes. Standard masks are supported for the <`process name`> value: "`?`" and "`*`".
`--max-size=<file size in bytes>>`	Optional parameter. Scan is performed only for the files that do not exceed the specified size. Larger files are skipped during scan.
`--includes <list of objects to be scanned>`	Optional parameter. This parameter allows you to limit the scan scope. You can specify several parameter values separated by a space. Available values: File name File path File name mask File path mask Passed with the --scan-folders parameter. Example: --scan-folders c:\. --recursive --includes .exe c:\temp\.* *.dll – the scan will be performed for all files with the "exe" and "dll" extensions on the C: drive, and all files in the c:\temp folder will be scanned recursively.
`--excludes <list of objects to be scanned>`	Optional parameter. This parameter excludes the specified files or folders from the scan. You can specify several parameter values separated by a space. Available values: File name File path File name mask File path mask Passed with the --scan-folders parameter. Example: --scan-folders c:\. --excludes readme.txt c:\trusted\. *.xml – the readme.txt files, all files from the c:\trusted folder, and all files with the xml extension in the root folder on the C: drive will be skipped during the scan.

Return codes of the --scan-yara command:

-1 – command is not supported by Kaspersky Endpoint Agent version installed on the device.
0 – command successfully executed.
1 – required argument is not passed to the command.
2 – general error.
4 – syntax error.
5 – one or more files with YARA rules specified as the parameter value not found.

If the command execution completed successfully (code 0) and indicators of compromise were detected during the command execution, Kaspersky Endpoint Agent displays the scan results in the command line. The scan results are described in the following table:

Data displayed by the application in the command line when YARA signatures are detected.

`Offset`	Offset in the object scanned by Kaspersky Endpoint Agent.
`Data`	Signatures searched by Kaspersky Endpoint Agent during scanning.
`Object Name`	The name of the scanned object.
`Rule Name`	The name of the rule used during scan.

Page top