Running Yara scans

Yara is a tool that helps to identify and classify malware through rules. By using Yara rules, you can detect textual or binary patterns in files or processes being run on SES Evolution agents. In concrete terms, the integration of Yara scans in SES Evolution allows malware blocked by SES Evolution to be named, identified on other workstations and possibly quarantined or terminated.

CAUTION
Even though SES Evolution has been designed to limit their impact on workstations, Yara scans may still affect the performance of scanned agents. The scan time depends on the number of rules and their nature, but also the number of files to scan. We recommend targeting the directories to scan.
The scan can also increase processor usage, and hence trigger the fans or use more battery power on a laptop PC.
For more information, refer to the section Choosing the priority of Yara and IoC analyses.

To run Yara scans in SES Evolution, you must first import these rules into analysis units. The scan can then be run on agents in three different ways, as described in the scenario below.

EXAMPLE
A malicious file Invoice.doc is emailed to all your company's employees. Some of them download and open it. When the file is opened, it runs a process on the workstation that performs malicious operations. By running Yara scans, the security administrator can:
  • Determine whether the process blocked by the Protect-Office apps-Part 7 rule in the Protection baseline rule set is malicious. To do so, the administrator configures the rule so that when it is applied, it triggers a Yara scan. See Triggering a Yara scan when logs are generated in a rule.
  • Detect and shut down the malicious process on agent groups that are not protected by this policy. To do so, the administrator runs a scan on demand on the relevant agent groups. See Running Yara scans on demand.
  • Check daily for the presence of the Invoice.doc file on workstations in order to receive alerts. To do so, the administrator must configure a scheduled scan. See Scheduling Yara scans.