YARA. Running YARA Scan

Running the Run YARA Scan task. The application scans files and objects for indicators of targeted attacks on the corporate IT infrastructure using databases of YARA rules created by users of Kaspersky Anti Targeted Attack Platform. A YARA rule is a publicly available classification of malware that contains signatures of indicators of targeted attacks and intrusions into corporate IT infrastructure that Kaspersky Anti Targeted Attack Platform uses to scan files and objects.

To run a YARA scan, you must prepare YARA files that describe rules. When creating YARA files, consider the following requirements:

Kaspersky Endpoint Security supports YARA files with the yara or yar extensions that adhere to the YARA 4.0.2 open standard for describing indicators of compromise.
Only a file with YARA rules can be specified for the task. The Run YARA Scan task does not support other rule types.
If you have added YARA files that Kaspersky Endpoint Security does not support, or the rules contain syntax errors, the task is aborted with the corresponding error message.
The identifiers of all YARA files used in a single task must be unique. If there are YARA files with the same identifier, it might affect the task execution results.
A YARA scan is aborted after 128 matches with indicators described in YARA rules. This is necessary to limit the number of entries in the YARA scan report to make it easier to analyze and to protect the report from overflowing because of imprecisely formulated YARA rules that may generate a vast number of matches.

Kaspersky recommends creating one rule per YARA file. This makes the scan results more readable.

A YARA scan may take a considerable amount of time. Depending on the drive size, task settings, and the number of objects on the disk, a YARA scan can last anywhere from several minutes to several hours. The application does not display a progress indicator. It is not possible to stop or cancel a YARA scan. You are advised to wait until the results of a YARA scan are available.

Command syntax

avp.com YARA /<full path to the YARA file>|/path=<path to the IOC files folder> [<advanced settings>]

YARA files

<full path to the YARA file>

Full path to the YARA file that you want to use for scanning. You can specify multiple YARA files separated by spaces. The full path to the YARA file must be entered without the /path argument.

For example, C:\Users\Admin\Desktop\YARA\file1.yar.

/path=<path to the folder with YARA files>

Path to the folder with YARA files that you want to use for scanning.

For example, /path=C:\Users\Admin\Desktop\YARA.

Advanced settings
`fastScan`	Quick YARA Scan. For each object, the application logs one occurrence of the detected indicator. The application also hides duplicates of detected indicators in the log. Quick YARA Scan allows scanning large files quicker. If this setting is not specified, the application performs a standard YARA scan. In this mode, the application logs duplicates of detected indicators.
`maxRules=<maximum number of scan rules>`	How many unique rules must trigger for the application to stop the YARA scan. If the value of this setting is not specified or if `0` is specified, the application performs the YARA scan without limitations.
`timeOut=<stop scan after the specified time in seconds>`	How long a YARA scan can take, in seconds. When this time runs out, the application stops the YARA scan. If the value of this setting is not specified or if `0` is specified, the application performs the YARA scan without limitations.
`recursive`	Recursively scan subfolders when performing a Custom Scan (`scanFolder`).
`scanMemory`	Scan the memory of all running processes.
`scanFolders <list of folders to be scanned>`	Custom Scan. The application scans folders selected by the user. If this setting is not specified, the application performs a YARA scan of all local disks except network shares, cloud drives, and removable media.
`scanProcess <process name>`	Scan memory only for specified processes. Kaspersky Endpoint Security supports the `*` and `?` characters when entering a mask.
`maxFileSize=<file size in bytes>`	Limit file size for the YARA scan. The application skips larger files.
`excludes <list of objects to be scanned>`	Exclude files and folders from the YARA scan. You can specify multiple values separated by spaces. The following values are available: File name File path File extension Mask of the file path Exclusions must be specified with the `scanFolders` parameter. Example: `scanFolders C:\. excludes readme.txt C:\trusted\. *.xml` – the application skips the `readme.txt` file, all files from the `C:\trusted` folder, and all files with the xml extension in the root folder on disk C.
`logFolder <path to the folder for saving the scan results in a TXT file>`	Save the results of the YARA scan to a file in the specified folder. The application also outputs the results of the YARA scan to the command line.

Command return values:

-1 means the command is not supported by the version of the application that is installed on the computer.
0 means the command was executed successfully.
1 means a mandatory argument was not passed to the command.
2 means a general error occurred.
4 means there was a syntax error.
5 means one or more files with YARA rules specified in the parameter was not found.

You can view the results of a YARA scan in the Kaspersky Anti Targeted Attack Platform console. Only task status is available in Kaspersky Security Center.

If the command was executed successfully (return value 0) and indicators of compromise were detected along the way, Kaspersky Endpoint Security outputs the following task result information to the command line:

`Offset`	Offset in the object for which Kaspersky Endpoint Security is performing a YARA scan.
`Object Name`	Name of the object that the application is scanning.
`Rule Name`	Name of the rule that the application is using for the YARA scan.

Page top