YARA. Running YARA Scan

Running the Run YARA Scan task. The application scans files and objects for indicators of targeted attacks on the corporate IT infrastructure using databases of YARA rules created by users of Kaspersky Anti Targeted Attack Platform. A YARA rule is a publicly available classification of malware that contains signatures of indicators of targeted attacks and intrusions into corporate IT infrastructure that Kaspersky Anti Targeted Attack Platform uses to scan files and objects.

To run a YARA scan, you must prepare YARA files that describe rules. When creating YARA files, consider the following requirements:

Kaspersky recommends creating one rule per YARA file. This makes the scan results more readable.

A YARA scan may take a considerable amount of time. Depending on the drive size, task settings, and the number of objects on the disk, a YARA scan can last anywhere from several minutes to several hours. The application does not display a progress indicator. It is not possible to stop or cancel a YARA scan. You are advised to wait until the results of a YARA scan are available.

Command syntax

avp.com YARA /<full path to the YARA file>|/path=<path to the IOC files folder> [<advanced settings>]

YARA files

 

<full path to the YARA file>

Full path to the YARA file that you want to use for scanning. You can specify multiple YARA files separated by spaces. The full path to the YARA file must be entered without the /path argument.

For example, C:\Users\Admin\Desktop\YARA\file1.yar.

/path=<path to the folder with YARA files>

Path to the folder with YARA files that you want to use for scanning.

For example, /path=C:\Users\Admin\Desktop\YARA.

Advanced settings

 

fastScan

Quick YARA Scan. For each object, the application logs one occurrence of the detected indicator. The application also hides duplicates of detected indicators in the log. Quick YARA Scan allows scanning large files quicker.

If this setting is not specified, the application performs a standard YARA scan. In this mode, the application logs duplicates of detected indicators.

maxRules=<maximum number of scan rules>

How many unique rules must trigger for the application to stop the YARA scan.

If the value of this setting is not specified or if 0 is specified, the application performs the YARA scan without limitations.

timeOut=<stop scan after the specified time in seconds>

How long a YARA scan can take, in seconds. When this time runs out, the application stops the YARA scan.

If the value of this setting is not specified or if 0 is specified, the application performs the YARA scan without limitations.

recursive

Recursively scan subfolders when performing a Custom Scan (scanFolder).

scanMemory

Scan the memory of all running processes.

scanFolders <list of folders to be scanned>

Custom Scan. The application scans folders selected by the user.

If this setting is not specified, the application performs a YARA scan of all local disks except network shares, cloud drives, and removable media.

scanProcess <process name>

Scan memory only for specified processes. Kaspersky Endpoint Security supports the * and ? characters when entering a mask.

maxFileSize=<file size in bytes>

Limit file size for the YARA scan. The application skips larger files.

excludes <list of objects to be scanned>

Exclude files and folders from the YARA scan. You can specify multiple values separated by spaces. The following values are available:

  • File name
  • File path
  • File extension
  • Mask of the file path

Exclusions must be specified with the scanFolders parameter.

Example:

scanFolders C:\*.* excludes readme.txt C:\trusted\*.* *.xml – the application skips the readme.txt file, all files from the C:\trusted folder, and all files with the xml extension in the root folder on disk C.

logFolder <path to the folder for saving the scan results in a TXT file>

Save the results of the YARA scan to a file in the specified folder. The application also outputs the results of the YARA scan to the command line.

Command return values:

You can view the results of a YARA scan in the Kaspersky Anti Targeted Attack Platform console. Only task status is available in Kaspersky Security Center.

If the command was executed successfully (return value 0) and indicators of compromise were detected along the way, Kaspersky Endpoint Security outputs the following task result information to the command line:

Offset

Offset in the object for which Kaspersky Endpoint Security is performing a YARA scan.

Object Name

Name of the object that the application is scanning.

Rule Name

Name of the rule that the application is using for the YARA scan.

Page top