YARA Rule

Use the YARA rule method to enumerate all running processes and scan the memory based on a given set of YARA rules. The YARA rule method scans processes that consume less than 512 MB of memory.

For details about YARA rules, see http://plusvic.github.io/yara/.

A YARA file contains rules that describe malware in textual or binary patterns. Endpoint Sensor uses YARA rules to monitor and investigate running processes on agents. With YARA, Endpoint Sensor is able to check the whole memory space of a process.

Verify that all YARA files to be uploaded use the following format:

rule ExampleRule
{
     strings:
          $my_test_string1 = "Behavior Inject DLL" wide
          $my_test_string2 = "Behavior Inject DLL"
                                
     condition:
          $my_test_string1 or $my_test_string2
}

Use the YARA tool available in the <Trend Micro Endpoint Sensor server installation path>\CmdTool\YARA\ folder to troubleshoot invalid YARA rules.

For details, see Troubleshooting Invalid YARA Rules.

Note:
  • The maximum file size for a YARA file is 1024KB.

  • Endpoint Sensor can store a total of 10 YARA files. Once this limit is reached, older YARA files are removed when new ones are uploaded.

  • Once uploaded, the YARA file is available for all future investigations. Ensure that a YARA file is selected before you start the investigation.