Creating scheduled Yara scans
Scheduled scans make it possible to automatically run Yara scans on user workstations at regular intervals. For further information, refer to the section Running Yara scans.
To schedule scans, you must first create analysis units. For more information, refer to the section Creating Yara analysis units.
- In the Scheduled tasks tab of the selected agent group, go to the section Scheduled scans and click on Schedule a scan > Schedule a Yara scan.
- Enter a name for the scan in the Schedule a scan window.
-
Click on Add analysis units and select the analysis units that you want to include in your Yara scan. Click on Next.
-
Click on Log settings to determine the severity and destination of the SES Evolution logs generated during the Yara scan.
- In File scan parameters, select Default scan to run a recursive scan on the folder\\.\EsaRoots\SystemDrive and exclude the folders \\.\EsaRoots\SystemRoot, \\.\EsaRoots\ProgramFiles and \\.\EsaRoots\ProgramFilesX86. Otherwise, select Custom scan:
- Analyze the image file of running processes: checks whether the .exe file in the processes contains the Yara pattern you are looking for. This option also allows you to shut down any malicious processes identified on agents during the Yara scan, and/or exclude from the scan any processes run by Windows administrator and/or system accounts.
- File extensions: Restricts scans to the indicated extensions.
- Included files and folders: runs the scan on indicated files and folders with or without recursion.
- Excluded files and folders: excludes from the scan indicated files and folders with or without recursion. Click on the + icon to add another path.
- In the Process scan parameters, select Default scan to run a memory scan of all the processes being executed on the workstation, otherwise, select Custom scan:
- Shut down the process detected: Stops dangerous processes identified during the Yara scan.
- Exclude processes run by: Excludes from the analysis the processes that were run with the indicated integrity levels (administrator and/or system).
- Directory of excluded processes: Excludes from the analysis the processes for which the executable files are located in the indicated folders. Click on the + icon to add another path.
You can also export scan settings in JSON format and import them again for other tasks.
- Fill in the information about the scheduled scan:
- Period for which the scheduled scan will be active,
- Frequency with which the scheduled scan will be run,
- Time at which the scan starts. If the agent is not running at the indicated time, the scan will be launched as soon as the agent is restarted.
- You can import all the settings of a scheduled scan that was exported earlier in JSON format.
- Click on OK.
-
To deploy the scheduled scan on all agents in the group so that they apply it, go to the Security > Deployment menu and click on Deploy.
- Read the agent's logs to ensure that the scans were run. You can also refer to the section on Looking up Yara scan usage.