Ensure you test a YARA rule before it is distributed. It is strongly recommended to do this to avoid unintended results.

Prerequisites

To get familiar with YARA rule parameters, see YARA Rule Parameters.

For a list of the YARA tags that have predefined meanings, see YARA Rule Tags.

To get familiar with YARA CBEP attributes, see YARA CBEP Attributes.

Add or edit your YARA rule by following the instructions in Add a YARA Rule or Edit a YARA Rule.

Procedure

  1. Restrict a rule to a small number of endpoints, possibly as few as one endpoint. When you add the rule, specify an OnlyIf macro in the Qualifiers field, such as <OnlyIf:HostId:784827> or <OnlyIf:HostName:machine name>. This will restrict the scope of the rule.
  2. Confirm that the new rule is on the agent. Use the dascli status command and search for "Yara Rule Version:". Compare the value with the value on the top-right of the Computers page in the console, for example, Current Yara rule version: 32.
  3. Confirm that the rule is active on the agent.
    • The following command can be used to dump all the rules in a Classification namespace. <file> is a target where all the rules will be saved.
      dascli yaranamespace Classification query <file>
    • The following command can be used to dump all the rules in an IsInteresting namespace. <file> is a target where all the rules will be saved.
      dascli yaranamespace IsInteresting query <file>
  4. Test the rule. Copy files that are expected to match and not match to the agent, wait for the analysis, and issue a dascli find command.
  5. Correct the rule if results are not as intended. Edit or delete the rule, as required.
  6. When you have determined the rule is ready for publication, edit it and remove the qualifier that restricted it to a small number of endpoints.
  7. Enable the rule and save it.

Results

When you have tested the rule and corrected any issues, ensure the final results are as you intended.