Configure YARA Configure YARA
YARA helps analysts in identifying and classifying malware in a simple and effective manner. By default YARA is disabled, administrators can configure and enable YARA. You are required to provide YARA rule files and specify the path where these rule files are stored. Ensure that the Endpoint server and YARA rules directory are in the same appliance.
Note: The YARA rules directory should have the permission as 'netwitness'.
Note: For new installations, YARA will be included as part of the orchestration. If you are upgrading to NetWitness Platform 11.6 or later, YARA is included automatically. In case of an upgrade, deploy the following Yara App rules from Live-
- Yara Rule Matched
- Process with Matched Yara Rule
IMPORTANT: Ensure that YARA is configured and YARA RULES PATH is same across all the Endpoint servers.
To change the configuration for YARA:
- Go to (Admin) > Services.
- In the Services view, select the Endpoint Server service.
- Click and select View > Config.
- Click the 3rd Party Scan tab.
- Select Enable YARA Scan.
- In YARA RULES PATH, specify the directory path where the YARA rule files are stored.
Click Save Configure.
Note: You can add any number of YARA rule files in this directory. Each rule file can have more than one rule. All downloaded files are scanned by all the YARA rule files.