YARA scanning is a process that you can create and configure manually using the command line interface. YARA files are used to run the scan.
Only the files with YARA rules can be specified for the YARA Scan task. Files with other types of rules are not supported for the YARA Scan task.
To run a YARA scan using the command line interface:
For example, you can type the following command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\"
and press Enter.
agent.exe --scan-yara [<
path to the YARA file
>] [--path=<
path to the folder with YARA rules
>] [--fast-scan] [--tag-hint=<
tag rule
>] [--id-hint=<
rule ID
>] [--max-rules=<
maximum number of scan rules
>] [--timeout=<
stop scan after the specified time in seconds
>] [--recursive] [--scan_folders [<
list of folders to be scanned
>] [--scan-memory] [--scan-process <
process name
>][--max-size=<
file size in bytes
>] [--excludes <
list of objects to be scanned
>] [--includes <
list of objects to be scanned
>]
If the --scan-yara
command is passed with only the required parameters, Kaspersky Endpoint Agent will perform the scan with the default settings.
The scan parameters are described in the following table.
Command parameters when starting and configuring YARA scan
Parameters |
Description |
|
Required parameter. Starts a YARA scan on the device. The scan is performed according to the rules in the YARA files with the yara or yar extension. |
|
Path to the folder with the YARA files that you want to scan. |
|
Optional parameter. |
|
Optional parameter. |
|
Optional parameter. |
|
Optional parameter. |
|
Optional parameter. |
|
Optional parameter. |
Optional parameter. |
|
|
Optional parameter. |
|
Optional parameter. |
|
Optional parameter. |
Optional parameter.
Passed using the --scan-folders parameter. |
|
Optional parameter.
Passed using the --scan-folders parameter. |
Return codes of the --scan-yara
command:
-1
– command is not supported by Kaspersky Endpoint Agent version installed on the device.0
– command successfully executed.1
– required argument is not passed to the command.2
– general error.4
– syntax error.5
– one or more files with YARA rules specified as the parameter value not found. If the command execution completed successfully (code 0
) and indicators of compromise were detected during the command execution, Kaspersky Endpoint Agent displays the scan results in the command line. The scan results are described in the following table:
Data displayed by the application in the command line when YARA signatures are detected.
|
Offset in the object scanned by Kaspersky Endpoint Agent. |
|
Signatures searched by Kaspersky Endpoint Agent during scanning. |
|
The name of the scanned object. |
|
The name of the rule used during scan. |