Jump to content
Kaspersky Support Forum

How to perform Yara-scan using KEA [Kaspersky Endpoint Agent]

Antipova Anna
 Share

Recommended Posts

Antipova Anna

Antipova Anna

Posted
Posted

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

The scenario is applicable for KEA version 3.10 and above.

There is no built-in feature to perform Yara-scan using KATA/EDR Expert 3.7.2. But if necessary, it's possible to perform it using KEA 3.10 and above.

Yara-scan using the Command line

Requirements:

  • KEA 3.10 (and above) installed
  • Files with Yara-rules (*.yara; *.yar)

Scenario:

  1. Ensure that KEA is installed and running;

  2. Run the Yara-scan

    "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\agent.exe" --scan-yara --path c:\rules --folder c:\files --scan-files yes
    Syntax

    --path [PATH] - the location of yara-files
    --folder [PATH] - the scope of scanning (e.g. C:\ to scan all files on the C drive and subfolders)

  3. Results will be listed on the CLI

image.thumb.png.89c2d63a3872e52a9ebd38b5842ce255.png

Yara-scan using KATA/EDR Web-UI

Alternatively you can perform the commend using "Run program" EDR task from Central Node.

image.png.b6c75b5365482b65196f96040061175e.png

image.png.fb4f56b30a0fb7df0f7bf3b53b73a4c6.png

Yara-scan using KSC

If KEA is installed and managed from KSC server, you can start the command by *.bat file using Remote installation task.

Requirements:

  • KEA 3.10 (and above) installed
  • Files with Yara-rules (*.yara; *.yar)
  • Shared folder with READ ALL access
  • Shared folder with WRITE ALL access

Follow these steps:

  1. Prepare the batch file
  2. Prepare Shared folders: one with READ and one with WRITE access for everyone
  3. Create installation package on KSC using *.bat file (see example below)
  4. Create and start "Install application remotely" task

Example:

*.bat file example
@echo off
"C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\agent.exe" --scan-yara --path \\SHARE\YaraRules\ --folder C:\ --scan-files yes >> C:\Windows\Temp\yara-scan-results.txt
copy C:\Windows\Temp\yara-scan-results.txt \\SHARE\YaraScanRusults\%computername%_results.txt

The script will start Yara scanning using KEA: all files at C:\ will be scanned using all rules from \\SHARE\YaraRules\, results will be saved into \\SHARE\YaraScanRusults\ folder.

\\SHARE\YaraRules\ folder should be available for READ
\\SHARE\YaraScanRusults\ folder should be available for WRITE

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing


×
×
  • Create New...