Managing scanning of autorun point objects according to YARA rules

This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

YARA scanning of the autorun points is a process that you can create and configure manually using the command line interface. YARA files are used to run the scan.

Only files with YARA rules can be specified in the YARA Scan task for autorun point objects. Files with other types of rules are not supported for the YARA Scan task.

By default, scanning of objects according to YARA rules is performed for the following types of autorun points:

Logon
Run
Explorer
Shell
Office
Internet Explorer
Tasks
Services
Drivers
Telephony
Cryptography
Debuggers
COM
Session Manager
Network
LSA
Applications
Codecs
Shellex
Unspecified

To run a YARA scan of autorun points using the command line interface:

On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
Using the cd command, navigate to the folder where the Agent.exe file is located.
For example, you can type the following command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press Enter.
Run the following command and press Enter:
agent.exe --scan-yara [<path to the YARA file>] [--path=<path to the file with the YARA rules>] --scan-autoruns=yes [--fast-scan] [--tag-hint=<rule tag>] [--id-hint=<rule ID>] [--max-rules=<maximum number of scan rules>] [--timeout=<stop scan after the specified time in seconds>] [--max-size=<file size in bytes>] [--exclude-autoruns=COM]

If the --scan-yara --scan-autoruns command is passed with only the required parameters, Kaspersky Endpoint Agent performs a scan with the default settings.

The scan parameters are described in the following table.

Command parameters when starting and configuring YARA scan

Parameters	Description
`--scan-yara [<full path to the YARA file>]`	Required parameter. Starts a YARA scan for the autorun point files on the device. The scan is performed according to the rules in YARA files with the yara or yar extension. Several values separated by spaces can be passed to the parameter. At least one `<full path to the yara file>` value must be specified if the --path parameter is not specified. If the `--path` parameter is also specified in addition to the arguments of the `--scan-yara --scan-autoruns` parameter, the scan uses both the files with the YARA rules specified as the arguments and the files from the folder specified by the `--path` parameter.
`--path=<pathpath to the folder with the YARA files>`	Path to the folder with the YARA files that you want to use to search for autorun point files. Required parameter, if the `<full path the YARA file>` parameter is not specified.
`--scan-autoruns=yes`	Required parameter. This parameter accesses autorun points and scans objects for all types of autorun points according to the specified YARA rules. Specify the `yes` value to start the scan. If parameter value is not specified, the parameter will be ignored.
`--fast-scan`	Optional parameter. The parameter starts the fast scan mode. For each scan object, one occurrence of the detected marker is logged, and duplicates of the detected markers are not logged. Usage of this parameter allows you to reduce the time for scanning large files. If the parameter is not passed, a standard scan will be performed and the duplicates of detected markers will be logged.
`--tag-hint=<tag rule>`	Optional parameter. The parameter allows considering only the rules with the specified tag during scan. You can specify only one parameter value. Rules without tags or with tags other than those specified as the parameter value are ignored during scan. If the parameter is not passed, all the rules are considered during scan.
`--id-hint=<rulerule ID>`	Optional parameter. The parameter allows considering only the rules with the specified ID during scan. You can specify only one parameter value. Rules without IDs or with IDs other than those specified as the parameter value are ignored during scan. If the parameter is not passed, all the rules are considered during scan.
`--max-rules=<maximum number of scan rules>`	Optional parameter. This parameter sets the limit of unique triggered detection rules; the scan will stop upon exceeding this limit. If the parameter value is not specified or equals 0, the scan will be performed without limitations.
`--timeout=<stop scan after the specified time in seconds>`	Optional parameter. This parameter specifies the scan duration of each object in seconds. The scan will be stopped after the specified time. If the parameter value is not specified or equals to 0, the scan is performed without limitations.
`--max-size=<file size in bytes>>`	Optional parameter. Scan is performed only for the files that do not exceed the specified size. Larger files are skipped during scan.
`--exclude-autoruns=<list of objects to be scanned>`	Optional parameter. This parameter excludes files of the specified autorun point from the scan. You can specify several parameter values separated by a space. Available value: COM (as of this writing, only this type of autorun point can be excluded from a scan). Example: `--exclude-autoruns=COM` The files from the COM autorun point scope will be ignored during the scan. Limitations The resulting lists of autorun points for COM objects may not contain component builds developed using .NET due to the special aspects of their registration in the system.

Return codes of the --scan-yara command:

-1 – command is not supported by Kaspersky Endpoint Agent version installed on the device.
0 – command successfully executed.
1 – required argument is not passed to the command.
2 – general error.
4 – syntax error.
5 – one or more files with YARA rules specified as the parameter value not found.

If the command execution completed successfully (code 0) and indicators of compromise were detected during the command execution, Kaspersky Endpoint Agent displays the scan results in the command line. The scan results are described in the following table:

Data displayed by the application in the command line when YARA signatures are detected.

`Offset`	Offset in the object scanned by Kaspersky Endpoint Agent.
`Data`	Signatures searched by Kaspersky Endpoint Agent during scanning.
`Object Name`	The name of the scanned object.
`Rule Name`	The name of the rule used during scan.

Page top