You can specify parameters for YARA rules that determine how the rules are used in your files.

Table 1. YARA Rule Parameters

Field

Description

Rule Name

(Name in the table)

Name by which this rule is listed in the YARA Rules table. (Required)

Namespace

How you want to define the namespace for the YARA rule.

The menu choices are:
  • Classification – Choose this value, for example, when you want to tag a file based on the content and create a custom rule based on the tag to determine the action to be taken when the tag is found on a file. For example, you might use this value when you want to define a YARA rule for script interpreter recognition.
  • IsInteresting – Choose this value to specify that the rule is used for IsInteresting detection. Files flagged as IsInteresting are automatically tracked, and you do not necessarily need to create a custom rule. For example, you might use this value when you want to track a script that the Agent currently ignores. If a file is not deemed interesting, it is not tracked.
Description

Additional information about the rule. (Optional)

This can be any text you choose to enter.

Qualifiers

Macro to be used to qualify the YARA rule. (Optional)

Only the OnlyIf macros are supported.

For example, for test purposes, you might want to specify a macro so the rule is enabled on one agent only. Or, for a rule that identifies installers in trusted directories, you could specify a macro that enables the rule only if a trusted directory is on the agent.

For information on using macros, see Using Macros in Rules.

Status

Radio buttons that make this rule Enabled or Disabled. (Required)

For example, you could create a rule that is used only at certain times or temporarily disable a rule without losing its definition.

The default setting for a new YARA rule is Disabled.

Rule

Script of the YARA rule, which includes the tags that will be assigned to files.

You can use pre-defined tags, which reduces the need to create custom rules. For example, the malicious and Approve tags ban or approve a file for use, respectively. The console contains a sample rule for malicious which, if enabled, looks for the tag and bans the file. Alternatively, if a file is tagged as approved, it will be allowed to run on the endpoint.

Note: For the agent to apply any tags set by one or more rules where the namespace is specified as IsInteresting, the final tag applied to a file must be filetype. The agent will only treat a file as interesting if either the executable tag or the script tag was applied before the filetype tag. The archive tag and the installer tag can also be used, although they do not determine the interesting status.

archive means the file contains other files which can be extracted by the crawler, for example, when processed in a trusted directory. For example, a self-extracting ZIP file would be both an archive and an executable. installer means a file writes executable files or scripts which themselves should be approved. For example, the Notepad++ installer npp.8.4.5.Installer.x64.exe is both an executable and installer.

For a list of the YARA tags that have predefined meanings, see YARA Rule Tags.

Rescan known files

Time period when you want known files to be rescanned. (Optional)

For a YARA rule with the Namespace set to Classification, you can specify if you want to rescan known files. If you select this option, you can choose if the rescan is done immediately or schedule it to begin later.

To help reduce performance impact, if you schedule the rescan to begin later rather than immediately, the scanning of agents will begin randomly within the time period selected. This is useful, for example, if your environment has a large number of agents.

Alternatively, you might not want to rescan known files, for example, if your environment is in a good state or a subset of it is in low enforcement and you want to create a YARA rule to scan new or updated files for malicious content.

Full scan for new files

Time period when you want a full system scan to be performed. (Optional)

For a YARA rule with the Namespace set to IsInteresting, you can specify if a full system scan is performed. If you select this option, you can choose if the scan is done immediately or schedule it to begin later.

To help reduce performance impact, if you schedule the scan to begin later rather than immediately, the scanning of agents will begin randomly within the time period selected. This is useful, for example, if your environment has a large number of agents.

Detected Tags

Tags that were found in the YARA rule you specified, which already exist and were provided by VMware Carbon Black.

For a list of the YARA tags that have predefined meanings, see YARA Rule Tags.

Verify that you want to use these tags. If a tag already exists and you want to use a unique tag, update the tag in the rule script accordingly.

Alternatively, you might want to use a tag that already exists, such as the Approve tag, therefore you do not need to update the rule script. You might want to use this tag, for example, when you want to approve files that are tagged with it. When a file is tagged as approved, it is automatically allowed to run on the endpoint, that is, you do not need an additional custom rule to approve it.