I have Fleet managing some agents. I placed the EICAR string in a file in the root directory of one of these agents, and tried the example query in Fleet for yara table to look for that string. It never returns results. Do I need to enable anything in Fleet or in the agent options to make on-demand yara queries to work?

Hi Vinny. There could be a few different issues preventing you from getting results. I would recommend removing the AND clause at the end of the query first,

AND matches='eicar'

and see if that solves your issue. If that does not work, I would check the path in your WHERE clause, because it might need to be altered. If you've checked/tested the path, and you're certain that its correct, it is worth noting that there are some files on your computer that osquery doesn't have access to.

Hi @Rebecca Cowart. Thank you so much, just tested removing the

AND matches='eicar'

and it worked. Any idea why it was returning no results because of this?

Can you share the exact query you were running?

Thank you for sending the query. Based on the fact that you were getting no results when running this, I would assume you did not have the EICAR test file saved in that location to be found by this query. When removing the AND clause and leaving the path the same, you got results, but the results still did not likely list the EICAR test file . The AND clause in this query was using a rule (aliased as 'eicar') that stated the file being searched for must contain that long string of text. The EICAR test file does contain that string of text. So if the test file had been saved in that location, it would returned both times, with and without the AND clause. The test file can be found above the example query on this page: https://fleetdm.com/tables/yara.

oh I see. Yes, I only copied the long string found in the yara rule and placed in the text editor and saved. It was not the original file from the EICAR website