YARA
  • 08 Mar 2024
  • 1 Minute to read
  • Contributors
  • Dark
    Light

YARA

  • Dark
    Light

Article summary

Note that instead of using the yara_update command directly it is recommended to use the YARA extension available through the web UI and REST interface.

yara_scan

Scan for a specific yara signature in memory and files on the endpoint.

Platforms:

The memory component of the scan on MacOS may be less reliable due to recent limitations imposed by Apple.

yara_scan [--pid PID] [--filePath FILEPATH] [--processExpr PROCESSEXPR] [--is-memory-only] [--is-no-validation] [--root-dir ROOT-DIR] [--file-exp FILE-EXP] [--depth DEPTH] RULE

Positional arguments:
  RULE                   rule to compile and run on sensor, Yara resource reference like "lcr://service/yara/my-source,other-source", literal rule or "https://" URL or base64 encoded rule

Options:
  --pid PID, -p PID      pid of the process to scan [default: -1]
  --filePath FILEPATH, -f FILEPATH
                         path to the file scan
  --processExpr PROCESSEXPR, -e PROCESSEXPR
                         expression to match on to scan (matches on full process path)
  --is-memory-only       only scan the memory, ignore files on disk. [default: true]
  --is-no-validation     if specified, do not validate the rule before sending. [default: false]
  --root-dir ROOT-DIR, -r ROOT-DIR
                         the root directory where to begin the search for files to scan
  --file-exp FILE-EXP, -x FILE-EXP
                         a file name expression supporting basic wildcards like * and ? to match against files in the --root-dir [default: *]
  --depth DEPTH, -d DEPTH
                         optional maximum depth of the search for files to scan, defaults to a single level

yara_update

Update the compiled yara signature bundle that is being used for constant memory and file scanning on the sensor.

Platforms:

usage: yara_update [-h] rule

positional arguments:
  rule        rule to compile and set on sensor for constant scanning, literal rule or "https://" URL or base64 encoded rule

Was this article helpful?