The scenario is applicable for KEA version 3.10 and above.

There is no built-in feature to perform Yara-scan using KATA/EDR Expert 3.7.2. But if necessary, it's possible to perform it using KEA 3.10 and above.

Yara-scan using the Command line

Requirements:

• KEA 3.10 (and above) installed
• Files with Yara-rules (*.yara; *.yar)

Scenario:

1. Ensure that KEA is installed and running;

2. Run the Yara-scan

   "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\agent.exe" --scan-yara --path c:\rules --folder c:\files --scan-files yes

   Syntax

   --path [PATH] - the location of yara-files
   --folder [PATH] - the scope of scanning (e.g. C:\ to scan all files on the C drive and subfolders)

3. Results will be listed on the CLI

Yara-scan using KATA/EDR Web-UI

Alternatively you can perform the commend using "Run program" EDR task from Central Node.

Yara-scan using KSC

If KEA is installed and managed from KSC server, you can start the command by *.bat file using Remote installation task.

Requirements:

• KEA 3.10 (and above) installed
• Files with Yara-rules (*.yara; *.yar)
• Shared folder with READ ALL access
• Shared folder with WRITE ALL access

Follow these steps:

1. Prepare the batch file
2. Prepare Shared folders: one with READ and one with WRITE access for everyone
3. Create installation package on KSC using *.bat file (see example below)
4. Create and start "Install application remotely" task

Example:

The script will start Yara scanning using KEA: all files at C:\ will be scanned using all rules from \\SHARE\YaraRules\, results will be saved into \\SHARE\YaraScanRusults\ folder.

\\SHARE\YaraRules\ folder should be available for READ
\\SHARE\YaraScanRusults\ folder should be available for WRITE