Requirements for YARA files

This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

When performing a YARA scan, consider the following requirements and limitations related to YARA files:

• Kaspersky Endpoint Agent supports YARA files with the yara and yar extensions. These files use an open standard for compromise indicator description – YARA version 4.0.2.
• Only the files with YARA rules can be specified for the YARA Scan task. Files with other types of rules are not supported for the YARA Scan task.
• If during scanning you download YARA files that are not supported by Kaspersky Endpoint Agent or contain syntax errors, the scan start will be terminated and the corresponding error message will be displayed.
• Identifiers of all YARA files that are used in the same YARA Scan task must be unique. The presence of YARA files with the same identifier can affect the correctness of the task execution results.

It is recommended to create one rule in one YARA file. This approach makes the scan results easier to read.

Page top