Running Yara scans on demand

Unscheduled Yara scans can be run whenever needed. To do so, you must create a Yara scan task.

  1. Select the Responses > Manual tasks menu and click on Create a task.

  2. Select Yara scan.
    You can also open the tasks panel through Agent logs by selecting a log and clicking on Tasks > Create a Yara scan task.

  3. Tick all the agents on which you wish to run the Yara scan. If required, use the filters to display only those agents meeting certain criteria, then click Next.

  4. Give your task a Name.

  5. Click on Add scanunits and select the scan units you wish to include in your Yara scan, then click on Validate.

    Click on Next.

  6. Click on Log settings to determine the severity and destination of the SES Evolution logs generated during the Yara scan.

  7. In File scan parameters, select Default scan to run a recursive scan on the folder\\.\EsaRoots\SystemDrive and exclude the folders \\.\EsaRoots\SystemRoot, \\.\EsaRoots\ProgramFiles and \\.\EsaRoots\ProgramFilesX86. Otherwise, select Custom scan:
    • Analyze the image file of running processes: checks whether the .exe file in the processes contains the Yara pattern you are looking for. This option also allows you to shut down any malicious processes identified on agents during the Yara scan, and/or exclude from the scan any processes run by Windows administrator and/or system accounts.
    • File extensions: Restricts scans to the indicated extensions.
    • Included files and folders: runs the scan on indicated files and folders with or without recursion.
    • Excluded files and folders: excludes from the scan indicated files and folders with or without recursion. Click on the + icon to add another path.
  8. In the Process scan parameters, select Default scan to run a memory scan of all the processes being executed on the workstation, otherwise, select Custom scan:
    • Shut down the process detected: Stops dangerous processes identified during the Yara scan.
    • Exclude processes run by: Excludes from the analysis the processes that were run with the indicated integrity levels (administrator and/or system).
    • Directory of excluded processes: Excludes from the analysis the processes for which the executable files are located in the indicated folders. Click on the + icon to add another path.
      You can also export scan settings in JSON format and import them again for other tasks.

  9. Click on Next.

  10. Click on Run task.
    The task will appear in the main task panel.
  11. Right-click on each task to perform the following operations:
    • Browse to the agent logs corresponding to this task,
    • Remove the task from the list,
    • Cancel the task currently being run on agents,
    • Run the task again by changing some settings.

      You can also Delete completed tasks from the tasks panel.

  12. Click on the arrow to the left of the task to show details about the analysis units that the task contains.
    Click on Clear selection to cancel a running analysis unit.