An administrator uploads custom YARA content to the RSA NetWitness Platform per instructions in the documentation. Turns out they want to change or delete it, but the only options in the user interface are to disable or enable. The naming of the YARA custom files will be different, reflecting names given during upload.
Can anything be done?
The answer is yes. The steps below explain how to manage custom YARA content via the command-line.
Connect to the malware appliance via SSH and change to the YARA directory.
[root@malwareserver yara]# cd /var/netwitness/malware-analytics-server/spectrum/yara
Find the custom files you want to delete.
Rules are merged into a single file. It is unknown if you can modify that file to remove a single rule.