• Have questions about this item?

  • Contact us

Description

The script is designed as an aid to scanning multiple files using one or more *.yar or *.yara files each containing one or more YARA rules.

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples.

The script provides the option to scan selected items in the current user view (does not work with records), all and tagged items.

An internal condition can be used to further control processing. For example, it can be used to target *.exe and *.dll files.

In order to operate, the script uses the libyara.NET API, which in turn wraps the YARA C API.

This necessitates the use of several DLL files, which must be placed in the same folder as the script. If the script has been downloaded from the Internet, it's likely that these files will need to be unblocked using the Windows Explorer property dialog otherwise an error will occur when running the script.

Each file processed by the script is sent to the .NET API as a memory stream. The results are converted to JSON before being streamed back to the EnScript for interpretation and bookmarking.

Due to this mode of operation, the script will not attempt to process deleted files or those larger than 2GB in size.

Accordingly, the script is not suited to processing RAM dumps, pagefile.sys or hiberfil.sys.

The fast scanning option makes scanning a little faster by avoiding multiple matches of the same string when not necessary. Once a string has been found in a file it’s subsequently ignored, which will result in a single match for the string, even if it appears multiple times in the scanned data.

Output is by way of the console, bookmarks, and optionally, JSON files written to a nominated export folder.

It should be noted that data found as a result of string searching will be Base64 encoded in each JSON output file.

Last updated using EnCase 22.3.

This script was developed for use in EnCase training. For more details, please click the following link:

- OpenText EnCase Training

Releases

Release
Date
Yara Scanner 1.0.0
Jan 18, 2024
More info Less info
Details
Product compatibility
EnCase™ Endpoint Investigator
Version 22.3 · 22.4
Version 23.2 · 23.3 · 23.4
EnCase™ Forensic
Version 22.3 · 22.4
Version 23.2 · 23.3 · 23.4
Release notes

First release.

Languages
English

Unsubscribe from notifications

You are receiving release updates for this item because you have subscribed to the following products:
If you unsubscribe, you will no longer receive any notifications for these products.
Tip: to update your subscription preferences, go to Manage Subscriptions from your Dashboard, uncheck the products you no longer want to receive notifications for, and click 'Save'.
Unsubscribe Cancel

Marketplace Terms of Service

In order to continue, you must accept the updated Marketplace Terms of Service
Since you are downloading an app from the OpenText Marketplace, you need to accept the updated Marketplace Terms of Service before you can continue. Use the link to review the Marketplace Terms of Service. Once complete check the, "I accept the Marketplace Terms of Service" box below and click accept to continue your download.


Accept Cancel
Your download has begun...

Your download has begun

Related content and resources

Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox

release-rel-2024-5-1-6172 | Mon Jun 24 04:52:54 PDT 2024