• 19 Apr 2023
  • 1 Minute to read
  • Contributors
  • Dark


  • Dark

Article Summary


Note that instead of using the yara_update command directly it is recommended
to use the YARA service available through the web UI and REST interface.


Update the compiled yara signature bundle that is being used for constant memory and file scanning on the sensor.

Platforms: Windows, Linux, MacOS

usage: yara_update [-h] rule

positional arguments:
  rule        rule to compile and set on sensor for constant scanning, literal rule or "https://" URL or base64 encoded rule


Scan for a specific yara signature in memory and files on the endpoint.

Platforms: Windows, Linux, MacOS

The memory component of the scan on MacOS may be less reliable due to recent limitations imposed by Apple.

yara_scan [--pid PID] [--filePath FILEPATH] [--processExpr PROCESSEXPR] [--is-memory-only] [--is-no-validation] [--root-dir ROOT-DIR] [--file-exp FILE-EXP] [--depth DEPTH] RULE

Positional arguments:
  RULE                   rule to compile and run on sensor, Yara resource reference like "lcr://service/yara/my-source,other-source", literal rule or "https://" URL or base64 encoded rule

  --pid PID, -p PID      pid of the process to scan [default: -1]
  --filePath FILEPATH, -f FILEPATH
                         path to the file scan
                         expression to match on to scan (matches on full process path)
  --is-memory-only       only scan the memory, ignore files on disk. [default: true]
  --is-no-validation     if specified, do not validate the rule before sending. [default: false]
  --root-dir ROOT-DIR, -r ROOT-DIR
                         the root directory where to begin the search for files to scan
  --file-exp FILE-EXP, -x FILE-EXP
                         a file name expression supporting basic wildcards like * and ? to match against files in the --root-dir [default: *]
  --depth DEPTH, -d DEPTH
                         optional maximum depth of the search for files to scan, defaults to a single level

Was this article helpful?