Running Yara scans

Yara is a tool that helps to identify and classify malware through rules. By using Yara rules, you can detect textual or binary patterns in files or processes being run on SES Evolution agents. This means that Yara scans integrated into SES Evolution make it possible to name any malware that SES Evolution blocks, identify it on other workstations and end the identified process if necessary.

Even though SES Evolution has been designed to limit their impact on workstations, Yara scans may still affect the performance of scanned agents. The impact of such scans depends on the number of rules and what they do. For more information, refer to the section Choosing the priority of Yara and IoC analyses.

To run Yara scans in SES Evolution, you must first import these rules into analysis units. The scan can then be run on agents in three different ways, as described in the scenario below.

A dangerous file, Invoice.doc, is sent in an e-mail to all the employees in your organization. Some of them download and open it. When the file is opened, it runs a process on the workstation that performs malicious operations. By running Yara scans, the security administrator can:
  • Determine whether the process blocked by the Protect-Office apps-Part 7 rule in the Protection baseline rule set is malicious. To do so, the administrator configures the rule so that when it is applied, it triggers a Yara scan. See Triggering a Yara scan when logs are generated in a rule.
  • Detect and shut down the malicious process on agent groups that are not protected by this policy. To do so, the administrator runs a scan on demand on the relevant agent groups. See Running Yara scans on demand.
  • Check daily for the presence of the Invoice.doc file on workstations in order to receive alerts. To do so, the administrator must configure a scheduled scan. See Scheduling Yara scans.