Configure YARA

YARA helps analysts in identifying and classifying malware in a simple and effective manner. By default YARA is disabled, administrators can configure and enable YARA. You are required to provide YARA rule files and specify the path where these rule files are stored. Ensure that the Endpoint server and YARA rules directory are in the same appliance.

Note: The YARA rules directory should have the permission as 'netwitness'.

Note: For new installations, YARA will be included as part of the orchestration. If you are upgrading to NetWitness Platform 11.6 or later, YARA is included automatically. In case of an upgrade, deploy the following Yara App rules from Live-

  • Yara Rule Matched
  • Process with Matched Yara Rule

IMPORTANT: Ensure that YARA is configured and YARA RULES PATH is same across all the Endpoint servers.

To change the configuration for YARA:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services view, select the Endpoint Server service.
  3. Click netwitness_actions_icon.png and select View > Config.
  4. Click the 3rd Party Scan tab.

    netwitness_yara_admin.png
  5. Select Enable YARA Scan.
  6. In YARA RULES PATH, specify the directory path where the YARA rule files are stored.
  7. Note: You can add any number of YARA rule files in this directory. Each rule file can have more than one rule. All downloaded files are scanned by all the YARA rule files.

  8. Click Save Configure.