About YARA scan in Kaspersky Endpoint Agent

Support

Support for business applications

Kaspersky Endpoint Agent

YARA scan

About YARA scan in Kaspersky Endpoint Agent

November 17, 2023

ID 225454

A YARA scan is a process performed by Kaspersky Endpoint Agent to search for malicious activity signatures on devices using YARA files (signature files of the open YARA standard). The scan is performed recursively on local drives. The scan is not supported for network, connected and cloud resources.

Kaspersky Endpoint Agent supports the following types of YARA scans:

YARA files scan using the command line – group or local tasks that are created and configured using the command line interface. YARA files prepared by the user are used to run the scan.
YARA scan by files downloaded manually via the Kaspersky Anti Targeted Attack Platform web interface – allows application users to use YARA files to search for signs of targeted attacks, infected (or probably infected) objects in the event and detection database, and to scan computers on which Kaspersky Endpoint Agent is installed.

The scan types differ by the management capabilities and configurable settings. The YARA scan types are described in the following table.

YARA scan types

Scan type	Description
YARA files scan using the command line	This scan is started manually using the command line interface, without integration with third-party systems. YARA files prepared by the user are used to run the scan. The scan settings do not depend on the policy settings. The scan results are available immediately after the scan has been completed in the command line.
YARA scan by YARA files downloaded manually via the Kaspersky Anti Targeted Attack Platform web interface	YARA files are downloaded manually via Kaspersky Anti Targeted Attack Platform web interface. It is also possible to configure the YARA scan schedule for computers with Kaspersky Endpoint Agent in the web interface of the Kaspersky Anti Targeted Attack Platform. This scan cannot be managed using the command line. There are no automatic actions when YARA rules are triggered. Scan settings do not depend on Kaspersky Endpoint Agent policies. For detailed information about this type of scan, refer to the Kaspersky Anti Targeted Attack Platform Help.

Scan type

Description

YARA files scan using the command line

This scan is started manually using the command line interface, without integration with third-party systems.

YARA files prepared by the user are used to run the scan.

The scan settings do not depend on the policy settings.

The scan results are available immediately after the scan has been completed in the command line.

YARA scan by YARA files downloaded manually via the Kaspersky Anti Targeted Attack Platform web interface

YARA files are downloaded manually via Kaspersky Anti Targeted Attack Platform web interface. It is also possible to configure the YARA scan schedule for computers with Kaspersky Endpoint Agent in the web interface of the Kaspersky Anti Targeted Attack Platform.

This scan cannot be managed using the command line.

There are no automatic actions when YARA rules are triggered.

Scan settings do not depend on Kaspersky Endpoint Agent policies.

For detailed information about this type of scan, refer to the Kaspersky Anti Targeted Attack Platform Help.

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.