YARA. Running YARA Scan

Running the Run YARA Scan task. The application scans files and objects for indicators of targeted attacks on the corporate IT infrastructure using databases of YARA rules. YARA rules are descriptions of signatures of targeted attacks and intrusions into the corporate IT infrastructure that Kaspersky Endpoint Security uses to scan objects.

To run a YARA scan, you must prepare YARA files that describe rules. When creating YARA files, consider the following requirements:

Kaspersky Endpoint Security supports YARA files with the .YARA and .YAR extensions that follow the YARA 4.2.3 open standard for describing indicators of compromise.
Only files with YARA rules can be specified for the task. The Run YARA Scan task does not support other rule types.
If you have added YARA files that Kaspersky Endpoint Security does not support, or the rules contain syntax errors, the task is aborted with the corresponding error message.
The identifiers of all YARA files used in a single task must be unique. If there are YARA files with the same identifier, it might affect the task execution results.
A YARA scan is aborted after 128 matches with indicators described in YARA rules. This is necessary to limit the number of entries in the YARA scan report to make it easier to analyze and to protect the report from overflowing because of imprecisely formulated YARA rules that may generate a vast number of matches.

Kaspersky recommends creating one rule per YARA file. This makes the scan results more readable.

A YARA scan can take a long time. Depending on the drive size, task settings, and the number of objects on the disk, a YARA scan can last anywhere from several minutes to several hours. The application does not display a progress indicator. It is not possible to stop or cancel a YARA scan. You are advised to wait until the results of a YARA scan are available.

Command syntax

avp.com YARA <full path to the YARA file>|/path=<path to the folder with YARA files> [<advanced settings>]

YARA files

<full path to the YARA file>

Full path to the YARA file that you want to use for scanning. You can specify paths to multiple YARA files separated by spaces.

Required argument if the /path=<path to the folder with YARA files> value is not specified.

Example:

C:\Users\Admin\Desktop\YARA\file1.yar C:\Users\Admin\Desktop\YARA\file2.yar

/path=<path to the folder with YARA files>

Full path to a folder with YARA files that you want to use for scanning.

Required argument if the <full path to the YARA file> value is not specified.

Example:

/path=C:\Users\Admin\Desktop\YARA

Advanced settings
`/fastScan=<on\|off>`	Quick YARA Scan. For each object, the application logs one occurrence of the detected indicator. The application also hides duplicates of detected indicators in the log. Quick YARA Scan allows scanning large files quicker. If this setting is not specified, the application performs a standard YARA scan. In this mode, the application logs duplicates of detected indicators.
`/maxRules=<maximum number of scan rules>`	Limit of the number of unique triggered rules that makes the application stop the YARA scan when reached. If the value of this setting is not specified or if `0` is specified, the application performs the YARA scan without limitations.
`/timeOut=<stop scan after the specified time in seconds>`	Limit of the YARA scan duration in seconds. When this time runs out, the application stops the YARA scan. If the value of this setting is not specified or if `0` is specified, the application performs the YARA scan without limitations.
`/recursive=<on\|off>`	This argument starts a recursive scan of subfolders within the `/scanFolders` Custom Scan.
`/scanFolders=<list of folders to be scanned>`	This argument starts a YARA scan of files in the specified list of folders. You can specify multiple values separated by spaces. Kaspersky Endpoint Security supports the `*` and `?` characters when entering a folder path mask. If this setting is not specified, the application performs a YARA scan of all local disks except network shares, cloud drives, and removable media.
`/scanMemory=<on\|off>`	Scan the memory of all running processes.
`/scanProcess=<process name>`	Scan memory only for the listed processes. Specify space-separated full paths to executable files of processes. You can also use `*` and `?` characters to enter a mask.
`/maxSize=<file size in bytes>`	File size limit for the YARA scan. The application skips larger files.
`/includes=<list of objects to be scanned>`>	Editing the scan scope. You can specify multiple values separated by spaces. The following values are available: File name File extension Scan scope must be specified with the `/scanFolders` parameter. Example: `/scanFolders C:\. /includes=.exe .dll` – the application scans all files with the .EXE and .DLL extensions on disk C.
`/excludes=<list of objects to be scanned>`	Excluding files from the YARA scan. You can specify multiple values separated by spaces. The following values are available: File path Mask of the file path Exclusions must be specified with the `/scanFolders` parameter. Example: `/scanFolders C:\. /excludes readme.txt C:\trusted\. *.xml` – the application skips the readme.txt file, all files from the C:\trusted folder, and all files with the .XML extension in the root folder on disk C.
`/scanAutoruns=<on\|off>`	YARA scan of autorun point objects.
`/excludeAutoruns=<list of autorun point areas to skip>`	Excluding autorun point objects from the scan scope. Specify space-separated full paths to executable files of processes. You can also use `*` and `?` characters to enter a mask.
`/logFolder=<path to the folder for saving the scan results in a TXT file>`	If you specify a path to a folder, the application saves scan results at the specified path in a file named yara_<computer name>_<scan completion time>.txt. If you specify a path to a specific TXT file, the application saves the scan results in that file. For example: `/logFolder=C:\test` or `/logFolder=C:\test\abc.txt`. Scan results are output to the command line regardless of whether the `/logFolder` option is specified.

Command return values:

-1 means the command is not supported by the version of the application that is installed on the computer.
0 – the command completed successfully.
1 means a mandatory argument was not passed to the command.
2 means a general error occurred.
4 means there was a syntax error.
5: One or more YARA rule files specified in the argument could not be found.

If the command was executed successfully (return value 0) and indicators of compromise were detected along the way, Kaspersky Endpoint Security outputs the following task result information to the command line:

`Started at <time>` `Finished at <time>`	Start time and completion time of a scan.
`Host name: <computer name>`	The name of the computer on which the object was detected.
`Result: <error>`	Error code for the error that occurred while running the task. If there are no errors, the application outputs `0x00000000`.
`Comment: <comment text>`	Error description for the error that occurred while running the task. For example, `Operation timeout`.
`Object Name:` or `Process:` (when scanning process memory)	The name of the object or process on which the YARA rule triggered.
`Md5: <md5 hash>` `Sha256: <sha256 hash>`	Hashes of the object on which the YARA rule triggered.
`Rule Name`	The name of the triggered YARA rule.
`Meta:` `Author: <author>` `Date: <date>` `Description: <description>`	Metadata specified in the YARA rule.
`Detects:` `Offset : String name : String data` `<offset> : <string name> : <string data>`	Found matches within the object that meet the YARA rule conditions: Offset in the process memory or file where a match was detected (`Offset`). The name of the matching string in the YARA rule (`String name`). The matching string in the process memory or file (`String data`).

Page top