How to register for Yara Rules

YARA is a tool used for the purpose of identifying and classifying malicious code types using malicious code signatures. The signature of the malicious code is a text string or binary pattern included in a file, process, and Genian Insights enables Threat Detection & Response to the pattern included in the malicious code sample using YARA. YARA works by creating Yara Rules containing pattern information that users want to check directly in a file or process, and executing Yara Rules check commands on individual endpoints.

How to register Yara Rules and execute the inspection command is as follows.

Add Yara Rules

  1. Go to Policy > Yara Rule Management > Yara Rules menu and click the Add button at the top.
  2. Fill in the name and rule as required and click the Save button.
Item Description
Name Enter a name for the Yara Rules Policy. You can enter up to 128 characters.
Rule Create Yara Rules containing the pattern information you want to check in a file or process. You can enter up to 12000 characters.

The minimum required form of Yara Rules is as follows.

rule RuleName
{
condition:
Boolean VALUE
}

Edit Yara Rules

  1. Go to the Policy > Yara Rule Management > Yara Rules menu and click the Yara Rules you want to edit.
  2. After modifying the Rule, click the Save button.

Delete Yara Rules

  1. Go to the Policy > Yara Rule Management > Yara Rules menu and select the checkbox of the Yara Rules list to be deleted. Click the button when it becomes active.

Whether to use Yara Rules

  1. Go to the Policy > Yara Rule Management > Yara Rules menu and select the checkbox in the Yara Rules list to modify whether to use or not. Choose whether to enable or disable it in Select Actions. Changes are reflected immediately when selecting whether to use or not.

Apply Yara Rules Policy

After creating Yara Rules, you need to run the check command on individual Endpoints.

  1. Go to the Analysis > Endpoints > Management menu and click the list to run the scan command.
  2. On the Endpoints detailed list screen, click Tasks, 'Check Yara Rules'. Click either the entire Rule or the selected Rule from the list. The example below describes how to apply the selected Rule.
  3. When you click the selected Rule, a list of policies created in Policy > Yara Rule Management whose use is enabled is displayed.
  4. As to whether Yara Rules is checked or not, in the Analysis > Endpoints > Management menu, the gear icon is activated in blue as shown in the picture.
  5. In Analysis > Endpoints > Management, click 'IP' to go to the Log tab, you can check the results of the agent's threat detection and processing and Yara Rules related logs.
  6. Click ‘Yara Rules detection list’ in Analysis > Management to check which files were detected on the detailed screen. Detailed information can be accessed by clicking the Threats Analysis button to the right of the list to go to the details screen.
  7. If you want to register a Yara Rules detected file as a quarantine or threat file, select 'Response Method' in Management on the right.