Creating a task to scan hosts using YARA rules

You can scan hosts with the Endpoint Agent component using YARA rules. To do so, you must create a Start YARA scan task. You can create the task:

• In the Tasks section.

  In this case, when creating the task, you must select YARA rules that you want to use to scan hosts.

• In the Custom rules section, YARA subsection.

  In this case, a task is created to scan hosts using selected YARA rules.

To create a task for scanning hosts with the Kaspersky Endpoint Agent component using YARA rules in the Tasks section:

1. Select the Tasks section in the application web interface window.

   This opens the task table.

2. Click Add and select Start YARA scan.

   This opens the task creation window.

3. Configure the following settings:
   1. Select rules is the name of the rule. You can enter the name of the rule or a sequence of characters from the name of the rule, then select the rule in the list.

      You can add multiple rules.

   2. Scan is the scan scope. Select one of the following options:
      • RAM if you want to scan processes that are running at the time of the task execution.

        The application does not scan processes with a low priority.

      • Autorun points if you want to scan autorun points obtained from the Get forensics task.

        If you are using Kaspersky Endpoint Agent as the Endpoint Agent component, this function is available only when integrated with Kaspersky Endpoint Agent 3.13 or later.

        To have autorun points scanned, you must specify hosts for which the Get forensics was previously run.

      • Specified directories if you want to scan files that are located in a specified folder and all its nested folders at the time of the task execution.
      • All local disks if you want to scan files stored in all folders on local disks at the time of the task execution.

        Scanning all local disks can cause high load on the host.

   3. If you selected RAM, if necessary, do the following:
      • In the Processes field, enter short names of processes or a mask of files that you want to scan.

        The application scans all processes with identical names that are running on the host.

        If the Processes field is left blank, the application scans all processes that were running at the time of the task execution, except processes with PID under 10 and processes listed in the Exclusions field.

      • In the Exclusions field, enter short names of processes or a mask of files that you want to exclude from scanning.

        If multiple processes with identical names are running on the host, the application excludes all such processes from scanning.

   4. If you selected Autorun points, in the Scan type field, select the scan type:
      • Quick.

        In this case, all autorun points are scanned, except COM objects.

      • Full.

        In this case, all autorun points are scanned, as well as files involved with them.

      If you are using Kaspersky Endpoint Security for Windows as the Endpoint Agent component, a full scan is performed regardless of the selected setting.

   5. If you selected Specified directories:
      • In the Specified directories field, specify the path to the directory in the format C:\<directory name>\*.
      • In the Exclusions field, specify the path to the directory in the format C:\<directory name>\*.
   6. Maximum scan duration is the maximum scan duration.

      When this time elapses, the scan is stopped even if some rules were not applied to scan the hosts. The task report contains results that are up-to-date at the moment when the scan was stopped.

   7. Description is the task description. This field is optional.
   8. Task for—Task scope:
      • If you want to run the task on all hosts of all servers, select the All hosts option.
      • If you want to run the task on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to run the task.

        This option is available only when distributed solution and multitenancy mode is enabled.

        

        Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

        

        Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

      • If you want to run the task on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.

        If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, the task for scanning Kaspersky Endpoint Agent hosts using YARA rules can be assigned only to hosts running Kaspersky Endpoint Agent for Windows version 3.12 and later. If you simultaneously assign a task to hosts with Kaspersky Endpoint Agent 3.12 and earlier versions of the application, the task is executed only on hosts with Kaspersky Endpoint Agent 3.12.

To create a task for scanning Kaspersky Endpoint Agent for Windows hosts using YARA rules in the Custom rules section, YARA subsection:

1. In the window of the application web interface, select the Custom rules section, YARA subsection.
2. Select check boxes to the left of rules that you want to use when scanning the hosts.

   A control panel appears in the lower part of the window.

3. Click Start YARA scan.
4. Carry out step 3 of the instruction above.

Task creation is complete. The task runs automatically after it is created.

If the scan detects any threats, Kaspersky Anti Targeted Attack Platform creates corresponding alerts.

Users with the Security auditor role cannot create a task for scanning hosts using YARA rules.

Users with the Security officer role do not have access to tasks.