MENU
      Contents x
      YARA
      • 10 Oct 2025
      • 1 Minute to read
      • Print
      • Dark
      Contents
        This documentation version is deprecated, please click here for the latest version.

      YARA

      • Updated on 10 Oct 2025
      • 1 Minute to read
      • Print
      • Dark
      Article summary

      Note that instead of using the yara_update command directly it is recommended to use the YARA extension available through the web UI and REST interface.

      yara_scan

      Scan for a specific YARA signature in memory and files on the endpoint.

      Platforms:

      The memory component of the scan on MacOS may be less reliable due to recent limitations imposed by Apple.

      yara_scan [--pid PID] [--filePath FILEPATH] [--processExpr PROCESSEXPR] [--is-memory-only] [--is-no-validation] [--root-dir ROOT-DIR] [--file-exp FILE-EXP] [--depth DEPTH] RULE

Positional arguments:
  RULE                   rule to compile and run on sensor, Yara resource reference like "lcr://service/yara/my-source,other-source", literal rule or "https://" URL or base64 encoded rule

Options:
  --pid PID, -p PID      pid of the process to scan [default: -1]
  --filePath FILEPATH, -f FILEPATH
                         path to the file scan
  --processExpr PROCESSEXPR, -e PROCESSEXPR
                         expression to match on to scan (matches on full process path)
  --is-memory-only       only scan the memory, ignore files on disk. [default: true]
  --is-no-validation     if specified, do not validate the rule before sending. [default: false]
  --root-dir ROOT-DIR, -r ROOT-DIR
                         the root directory where to begin the search for files to scan
  --file-exp FILE-EXP, -x FILE-EXP
                         a file name expression supporting basic wildcards like * and ? to match against files in the --root-dir [default: *]
  --depth DEPTH, -d DEPTH
                         optional maximum depth of the search for files to scan, defaults to a single level
      Plain text

      yara_update

      Update the compiled YARA signature bundle that is being used for constant memory and file scanning on the sensor.

      Platforms:

      usage: yara_update [-h] rule

positional arguments:
  rule        rule to compile and set on sensor for constant scanning, literal rule or "https://" URL or base64 encoded rule
      Plain text
      Was this article helpful?
      What's Next