Running Yara scans on demand

Unscheduled Yara scans can be run whenever needed. To do so, you must create a Yara task.

  1. Select the Tasks menu and click on Create a task.
    You can also open the tasks panel through Agent logs by selecting a log and clicking on Create a task.

  2. Give your task a name.

  3. Click on Add an analysis unit and select the analysis units that you want to include in your Yara scan.

  4. Click on Select agents and select all the agents on which you want to run the Yara scan, then click on OK. Use filters where necessary to display only agents that meet certain criteria.

  5. Click on Log settings to determine the severity and destination of the SES Evolution logs generated during the Yara scan.

  6. In File scan parameters, select Default scan to run a recursive scan on the folder\\.\EsaRoots\SystemDrive and exclude the folders \\.\EsaRoots\SystemRoot, \\.\EsaRoots\ProgramFiles and \\.\EsaRoots\ProgramFilesX86. Otherwise, select Custom scan:
    • Analyze the image file of running processes: checks whether the .exe file in the processes contains the Yara pattern you are looking for. This option also allows you to shut down any malicious processes identified on agents during the Yara scan, and/or exclude from the scan any processes run by Windows administrator and/or system accounts.
    • Included files and folders: runs the scan on indicated files and folders with or without recursion.
    • Excluded files and folders: excludes from the scan indicated files and folders with or without recursion. Click on the + icon to add another path.
  7. In the Process scan parameters, select Default scan to run a memory scan of all the processes being executed on the workstation, otherwise, select Custom scan:
    • Shut down the process detected: Stops dangerous processes identified during the Yara scan.
    • Exclude processes run by: Excludes from the analysis the processes that were run with the indicated integrity levels (administrator and/or system).
    • Directory of excluded processes: Excludes from the analysis the processes for which the executable files are located in the indicated folders. Click on the + icon to add another path.
      You can also export scan settings in JSON format and import them again for other tasks.
  8. Click on Run task.
    The task will appear in the main task panel.
  9. For each task, click on the icons below to perform several operations:
    In the agent logs panel, displays logs corresponding to this task.
    Removes tasks from the list
    Cancels the task currently being run on agents.

    You can also Delete completed tasks from the tasks panel.

  10. Click on the arrow to the left of the task to show details about the analysis units that the task contains.
    Click on Clear selection to cancel a running analysis unit.