Fortinet black logo

Administration Guide

YARA Rules

Copy Link
Copy Doc ID af12b5b0-1c45-11ea-9384-00505692583a:690723
Download PDF

YARA Rules

YARA is a pattern matching engine for malware detection. The YARA Rules page allows you to upload your own YARA rules. The rules must be compatible with the 3.x schema and put inside ASCII text files.

The following options are available:

Import

Select to import a YARA rule file. You can apply one YARA rule to multiple file types.

Edit

Select to edit a YARA rule file. You can apply one YARA rule to multiple file types.

Delete

Select to delete a YARA rule file.

Change Status

Select to change the status (Active or Inactive) of a YARA rule.

Export

Select to export a YARA rule file.

The following information is displayed:

Name

The name of the YARA rule set.

File Type

The file types the YARA rule is applied to.

Modify Time

The date and time the YARA rule set was last modified.

Size

The size of the YARA rule file.

Sha256

The Sha256 checksum of the YARA rule file.

Status

The current status (Active or Inactive) of the YARA rule set.

To upload YARA Rule File:
  1. Go to Scan Policy > YARA Rules.
  2. Select Import.
  3. Configure the following settings:

    YARA Rule Name

    Enter a name for the YARA rule set.

    Default Description

    Enter a description of the YARA rule set.

    Rules Risk Level

    Select a rule risk level between 1-10.

    • 0-1: Clean
    • 2-4: Low Risk
    • 5-7: Medium Risk
    • 8-10: High Risk

    All the YARA rules inside the YARA rule file will share the same risk level.

    File Type

    Select file types to scan against uploaded YARA rules. One YARA rule file can be applied to multiple file types.

    YARA Rule File

    Choose a text file containing YARA rules.

  4. Select OK to import rules.
  5. After a YARA Rule file is imported, you can select the Activate/Deactivate icon to enable/disable the YARA rule set.

If a file hits multiple rules, a complicated algorithm is used to calculate the final rating of the file. For example, if a file hits more than one Low Risk YARA rules, the file's verdict can be higher than the Low Risk rating.

To edit a YARA Rule set:
  1. Go to Scan Policy > YARA Rules.
  2. Select a YARA Rule.
  3. Click the Edit button from the toolbar.
  4. Configure the following options:

    ID

    YARA ID number. You cannot edit this field.

    Yara Rule Name

    Enter a name for the YARA rule set.

    Default Description

    Enter a description of the YARA rule set.

    Rules Risk Level

    Select a rule risk level between 1-10.

    • 0-1: Clean
    • 2-4: Low Risk
    • 5-7: Medium Risk
    • 8-10: High Risk

    All the YARA rules inside the YARA rule file will share the same risk level.

    File Type

    Select file types to scan against uploaded YARA rules. One YARA rule file can be applied to multiple file types.

    YARA Rule File

    Choose a text file containing YARA rules.

  5. Click OK to apply changes.
To delete a YARA rule set:
  1. Go to Scan Policy > YARA Rules.
  2. Select a YARA Rule set.
  3. Click Delete from the toolbar.
  4. Click Yes I'm sure button from the Are you sure? confirmation box.
To change the status of a YARA rule set:
  1. Go to Scan Policy > YARA Rules.
  2. Select a YARA Rule set.
  3. Click Change Status.

    The status of the selected YARA rule will switch to Active or Inactive depending on its previous status.

YARA Rules

YARA is a pattern matching engine for malware detection. The YARA Rules page allows you to upload your own YARA rules. The rules must be compatible with the 3.x schema and put inside ASCII text files.

The following options are available:

Import

Select to import a YARA rule file. You can apply one YARA rule to multiple file types.

Edit

Select to edit a YARA rule file. You can apply one YARA rule to multiple file types.

Delete

Select to delete a YARA rule file.

Change Status

Select to change the status (Active or Inactive) of a YARA rule.

Export

Select to export a YARA rule file.

The following information is displayed:

Name

The name of the YARA rule set.

File Type

The file types the YARA rule is applied to.

Modify Time

The date and time the YARA rule set was last modified.

Size

The size of the YARA rule file.

Sha256

The Sha256 checksum of the YARA rule file.

Status

The current status (Active or Inactive) of the YARA rule set.

To upload YARA Rule File:
  1. Go to Scan Policy > YARA Rules.
  2. Select Import.
  3. Configure the following settings:

    YARA Rule Name

    Enter a name for the YARA rule set.

    Default Description

    Enter a description of the YARA rule set.

    Rules Risk Level

    Select a rule risk level between 1-10.

    • 0-1: Clean
    • 2-4: Low Risk
    • 5-7: Medium Risk
    • 8-10: High Risk

    All the YARA rules inside the YARA rule file will share the same risk level.

    File Type

    Select file types to scan against uploaded YARA rules. One YARA rule file can be applied to multiple file types.

    YARA Rule File

    Choose a text file containing YARA rules.

  4. Select OK to import rules.
  5. After a YARA Rule file is imported, you can select the Activate/Deactivate icon to enable/disable the YARA rule set.

If a file hits multiple rules, a complicated algorithm is used to calculate the final rating of the file. For example, if a file hits more than one Low Risk YARA rules, the file's verdict can be higher than the Low Risk rating.

To edit a YARA Rule set:
  1. Go to Scan Policy > YARA Rules.
  2. Select a YARA Rule.
  3. Click the Edit button from the toolbar.
  4. Configure the following options:

    ID

    YARA ID number. You cannot edit this field.

    Yara Rule Name

    Enter a name for the YARA rule set.

    Default Description

    Enter a description of the YARA rule set.

    Rules Risk Level

    Select a rule risk level between 1-10.

    • 0-1: Clean
    • 2-4: Low Risk
    • 5-7: Medium Risk
    • 8-10: High Risk

    All the YARA rules inside the YARA rule file will share the same risk level.

    File Type

    Select file types to scan against uploaded YARA rules. One YARA rule file can be applied to multiple file types.

    YARA Rule File

    Choose a text file containing YARA rules.

  5. Click OK to apply changes.
To delete a YARA rule set:
  1. Go to Scan Policy > YARA Rules.
  2. Select a YARA Rule set.
  3. Click Delete from the toolbar.
  4. Click Yes I'm sure button from the Are you sure? confirmation box.
To change the status of a YARA rule set:
  1. Go to Scan Policy > YARA Rules.
  2. Select a YARA Rule set.
  3. Click Change Status.

    The status of the selected YARA rule will switch to Active or Inactive depending on its previous status.