Managing user-defined YARA rules

You can use YARA rules as YARA module databases to scan files and objects received at the Central Node and to scan hosts that have Kaspersky Endpoint Agent for Windows installed.

In

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy mode

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

• Global—Created on the PCN server. These rules are used to scan files and objects received at the PCN server and all SCN servers connected to that PCN server. Scanned files and objects belong to the tenant which the user is managing in the program web interface.
• Local—Created on the SCN server. These rules are used to scan files and objects received at the SCN server. Scanned files and objects belong to the tenant which the user is managing in the program web interface.

When managing the program web interface, users with the Senior security officer role can import a YARA rule file into Kaspersky Anti Targeted Attack Platform using the program web interface.

Users with the Security auditor and Security officer roles can only view YARA rules.

Viewing the YARA rule table

The table of user-defined YARA rules contains information about YARA rules that are used to scan events and create alerts; the table is displayed in the Custom rules section, YARA subsection of the program web interface window.

The table contains the following information:

• Created is the rule creation time.
•  —Alert importance for the Kaspersky Anti Targeted Attack Platform user depending on the impact this alert may have on computer or corporate LAN security based on Kaspersky experience.

  By default, alerts generated by uploaded YARA rules are assigned a high level of importance.

• Type is the type of the rule depending on the operating mode of the program and the role of the server which generated the rule:
  • Global—Created on the PCN server. These rules are used to scan files and objects received at the PCN server and all SCN servers connected to that PCN server. Scanned files and objects belong to the tenant which the user is managing in the program web interface.
  • Local—Created on the SCN server. These rules are used to scan files and objects received at the SCN server. Scanned files and objects belong to the tenant which the user is managing in the program web interface.
• Name – name of the rule.
• File name is the name of the file from which the rule was imported.
• Created by is the name of the user whose account was used to import the rule.
• Servers – name of the server with the Central Node component on which the rule is applied.
• Traffic scan is the usage status of the rule when stream scanning files and objects arriving at the Central Node:
  • Enabled – the rule is being used.
  • Disabled – the rule is not being used.

Importing YARA rules

To import YARA rules:

1. In the window of the program web interface, select the Custom rules section, YARA subsection.
2. Click Upload.

   This opens the file selection window.

3. Select the YARA rules file that you want to upload and click the Open button.

   This closes the file selection window and opens the Import YARA rules window.

   The maximum allowed size of an uploaded file is 20 MB.

   A report is displayed in the lower part of the window. The report contains the following information:

   • The number of rules that can be successfully imported.
   • The number of rules that will not be imported (if any).

     For each rule that cannot be imported, its name is listed.

4. Select the Traffic scan check box if you want to use imported rules for streaming scans of objects and data received at the Central Node.
5. If necessary, enter any additional information in the Description field.

   The Importance field cannot be edited. By default, alerts generated by uploaded YARA rules are assigned a high level of importance.

6. Under Apply to, select check boxes corresponding to servers on which you want to apply the rules.

   This field is displayed only when you are using the distributed solution and multitenancy mode.

7. Click Save.

Imported rules are displayed in the table of YARA rules.

Configuring YARA rule table display

You can show or hide columns and change the order of columns in the table.

To configure the table display:

1. In the window of the program web interface, select the Custom rules section, YARA subsection.

   This opens the YARA rule table.

2. In the heading part of the table, click .

   This opens the Customize table window.

3. If you want to show a column in the table, select the check box next to the name of the parameter that you want displayed in the table.

   If you want to hide a parameter in the table, clear the check box.

   At least one check box must be selected.

4. If you want to change the order of columns in the table, move the mouse cursor to the row with the relevant parameter, click and move the row to its new place.
5. If you want to restore default table display settings, click Default.
6. Click Apply.

The table display is configured.

Viewing YARA rule details

To view YARA rule details:

1. In the window of the program web interface, select the Custom rules section, YARA subsection.

   This opens the YARA rule table.

2. Select the rule for which you want to view information.

This opens a window containing information about the rule.

The window contains the following information:

• Click the Alerts link to display the alert table in a new browser tab. The alerts are filtered by the Targeted Attack Analyzer technology and the name of the TAA (IOA) rule that you are working on.
• The Start YARA scan link opens the task creation window.
• The Download link lets you download a file with YARA rules.
• Rule name is the name of the rule specified in the file.
• Traffic scan is the usage status of the rule when stream scanning files and objects arriving at the Central Node:
• Type is the type of the rule depending on the role of the server which generated it:
  • Global—Created on the PCN server. These rules are used to scan files and objects received at the PCN server and all SCN servers connected to that PCN server. Scanned files and objects belong to the tenant which the user is managing in the program web interface.
  • Local—Created on the SCN server. These rules are used to scan files and objects received at the SCN server. Scanned files and objects belong to the tenant which the user is managing in the program web interface.
• Importance—Importance level that is assigned to an alert generated using this rule.

  By default, alerts generated by uploaded YARA rules are assigned a high level of importance.

• Description is any additional information about the rule that you specified.
• Apply to—Name of servers with the Central Node component on which the rule is applied.

Filtering and searching YARA rules

To filter or search for YARA rules by required criteria:

1. In the window of the program web interface, select the Custom rules section, YARA subsection.

   This opens the YARA rule table.

2. Depending on the filtering criterion, do the following:
   • By creation time
     1. Click the Created link to open the filter settings window.
     2. Select one of the following options:
        • Any time if you want the table to display rules created at any time.
        • Last hour if you want the table to display rules that were created during the last hour.
        • Last day if you want the table to display rules that were created during the last day.
        • Custom range if you want the table to display templates that were created during the specified period.
   • By rule name
     1. Click the Rule name link to open the filtering menu.
     2. In the drop-down list, select one of the following filtering operators:
        • Contains
        • Does not contain
     3. In the text box, type the name of the rule or a sequence of characters from the name of the rule.
     4. Click Apply.
   • By file name
     1. Click the File name link to open the filtering menu.
     2. In the drop-down list, select one of the following filtering operators:
        • Contains
        • Does not contain
     3. In the entry field, type the name of the file or a sequence of characters from the name of the file.
     4. Click Apply.
   • By the name of the user who uploaded the rules file
     1. Click the Created by link to open the filtering menu.
     2. In the drop-down list, select one of the following filtering operators:
        • Contains
        • Does not contain
     3. In the text box, type the user name or a sequence of characters from the user name.
     4. Click Apply.
   • By rule state
     1. Click the Traffic scan link to expand the filter settings list.
     2. Select one of the following options:
        • All
        • Enabled
        • Disabled

The table displays only rules that match the specified criteria.

You can use multiple filters at the same time.

Clearing a YARA rule filter

To clear the YARA rule filter for one or more filtering criteria:

1. In the window of the program web interface, select the Custom rules section, YARA subsection.

   This opens the YARA rule table.

2. Click to the right of that column heading of the rule table for which you want to clear filtering criteria.

   If you want to clear multiple filter conditions, take steps to clear each filter condition individually.

The selected filters are cleared.

The table displays only rules that match the specified criteria.

Enabling and disabling YARA rules

Users with the Senior security officer role can enable or disable one or several rules, as well as all rules at once.

When working in distributed solution and multitenancy mode, you can enable or disable only those YARA rules that were created on the current server. It means that in the web interface of the PCN, you can enable or disable only the rules that were created on the PCN server. In the web interface of an SCN, you can enable or disable only the rules that were created on the SCN server.

If YARA rules with identical names are enabled on the PCN and SCN servers, the PCN rule takes precedence over the SCN rule when scanning files and objects.

To enable or disable a YARA rule for stream scanning files and objects arriving at the Central Node:

1. In the window of the program web interface, select the Custom rules section, YARA subsection.

   This opens the YARA rule table.

2. In the row with the relevant rule, select or clear the check box in the Traffic scan column.

The rule is enabled or disabled for stream scanning files and objects arriving at the Central Node.

To enable or disable all or multiple YARA rules for stream scanning files and objects arriving at the Central Node:

1. In the window of the program web interface, select the Custom rules section, YARA subsection.
2. Select the check boxes on the left of the rules whose use you want to enable or disable.

   You can select all rules by selecting the check box in the row containing the headers of columns.

   A control panel appears in the lower part of the window.

3. Click Enable or Disable to enable or disable all rules.

Selected rules are enabled or disabled for stream scanning files and objects arriving at the Central Node.

Deleting YARA rules

To delete a YARA rule:

1. In the window of the program web interface, select the Custom rules section, YARA subsection.

   This opens the YARA rule table.

2. Select the rule that you want to delete.

   This opens a window containing information about the rule.

3. Click Delete.
4. This opens the action confirmation window; in that window, click Yes.

The rule is deleted.

To delete all or multiple YARA rules:

1. In the window of the program web interface, select the Custom rules section, YARA subsection.

   This opens the YARA rule table.

2. Select the check boxes on the left of the rules that you want to delete.

   You can select all rules by selecting the check box in the row containing the headers of columns.

   A control panel appears in the lower part of the window.

3. Click Delete.
4. This opens the action confirmation window; in that window, click Yes.

The selected rules will be deleted.

Users with the Security auditor and Security officer roles cannot delete YARA rules.