- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Note that instead of using the yara_update
command directly it is recommended to use the YARA extension available through the web UI and REST interface.
yara_scan
Scan for a specific yara signature in memory and files on the endpoint.
Platforms:
The memory component of the scan on MacOS may be less reliable due to recent limitations imposed by Apple.
yara_scan [--pid PID] [--filePath FILEPATH] [--processExpr PROCESSEXPR] [--is-memory-only] [--is-no-validation] [--root-dir ROOT-DIR] [--file-exp FILE-EXP] [--depth DEPTH] RULE
Positional arguments:
RULE rule to compile and run on sensor, Yara resource reference like "lcr://service/yara/my-source,other-source", literal rule or "https://" URL or base64 encoded rule
Options:
--pid PID, -p PID pid of the process to scan [default: -1]
--filePath FILEPATH, -f FILEPATH
path to the file scan
--processExpr PROCESSEXPR, -e PROCESSEXPR
expression to match on to scan (matches on full process path)
--is-memory-only only scan the memory, ignore files on disk. [default: true]
--is-no-validation if specified, do not validate the rule before sending. [default: false]
--root-dir ROOT-DIR, -r ROOT-DIR
the root directory where to begin the search for files to scan
--file-exp FILE-EXP, -x FILE-EXP
a file name expression supporting basic wildcards like * and ? to match against files in the --root-dir [default: *]
--depth DEPTH, -d DEPTH
optional maximum depth of the search for files to scan, defaults to a single level
yara_update
Update the compiled yara signature bundle that is being used for constant memory and file scanning on the sensor.
Platforms:
usage: yara_update [-h] rule
positional arguments:
rule rule to compile and set on sensor for constant scanning, literal rule or "https://" URL or base64 encoded rule
Was this article helpful?