Running Yara scans on demand

Unscheduled Yara scans can be run whenever needed. To do so, you must create a Yara scan task.

  1. Select the Responses > Manual tasks menu and click on Create a task.

  2. Select Yara scan.
    You can also open the tasks panel through Agent logs by selecting a log and clicking on Tasks > Create a Yara scan task.

  3. Give your task a name.

  4. Click on Add analysis units and select the analysis units that you want to include in your Yara scan. Click on Next.

  5. Click on Log settings to determine the severity and destination of the SES Evolution logs generated during the Yara scan.

  6. In File scan parameters, select Default scan to run a recursive scan on the folder\\.\EsaRoots\SystemDrive and exclude the folders \\.\EsaRoots\SystemRoot, \\.\EsaRoots\ProgramFiles and \\.\EsaRoots\ProgramFilesX86. Otherwise, select Custom scan:
    • Analyze the image file of running processes: checks whether the .exe file in the processes contains the Yara pattern you are looking for. This option also allows you to shut down any malicious processes identified on agents during the Yara scan, and/or exclude from the scan any processes run by Windows administrator and/or system accounts.
    • File extensions: Restricts scans to the indicated extensions.
    • Included files and folders: runs the scan on indicated files and folders with or without recursion.
    • Excluded files and folders: excludes from the scan indicated files and folders with or without recursion. Click on the + icon to add another path.
  7. In the Process scan parameters, select Default scan to run a memory scan of all the processes being executed on the workstation, otherwise, select Custom scan:
    • Shut down the process detected: Stops dangerous processes identified during the Yara scan.
    • Exclude processes run by: Excludes from the analysis the processes that were run with the indicated integrity levels (administrator and/or system).
    • Directory of excluded processes: Excludes from the analysis the processes for which the executable files are located in the indicated folders. Click on the + icon to add another path.
      You can also export scan settings in JSON format and import them again for other tasks.

  8. Click on Next and select all the agents on which you want to run the Yara scan. Use filters where necessary to display only agents that meet certain criteria.

  9. Click on Run task.
    The task will appear in the main task panel.
  10. Right-click on each task to perform the following operations:
    • Browse to the agent logs corresponding to this task,
    • Remove the task from the list,
    • Cancel the task currently being run on agents,
    • Run the task again by changing some settings.

      You can also Delete completed tasks from the tasks panel.

  11. Click on the arrow to the left of the task to show details about the analysis units that the task contains.
    Click on Clear selection to cancel a running analysis unit.