Hi Guys! I wanted to ask if anyone knew whether on-demand YARA scanning was working for Windows since I've been trying to test it by creating a notepad file with a string and creating a rule in the same folder, however when I query it, "*SELECT* * FROM yara WHERE path=" U:\test" AND sig_group=" U:\test\new.yar";" , it doesnt work

What error do you get? Also, I'm not sure the yara table is on windows. It the error would make this clear.

I get no output, just goes to next line. I can see the yara tables in windows when i use .tables or .schema yara

Pinging @Akshay Kumar for when he gets back on Monday

Okay thank you. It was a simple test where I put the file in a new folder in C, notepad with 3 strings, and a rule in the same folder containing those strings with the condition: any of them

@Usama Nathani, You see the Yara compiler error because the rule file are not placed at the correct location. It should be at YaraHome (

C:\Program Files\osquery\yara

)

@Akshay Kumar Thank you for your quick reply. I wanted some further clarification. 1. Do we create a new folder for yara or is there supposed to be one already in osquery (cant find mine)? 2. Do we put the yara configuration (sig groups) in osquery.conf (got a parsing error) ?

You will need to create the

yara

directory if it is not there. The installer does not create it. You might be seeing parsing error because of the incorrect json format. Please add

yara

as one of the top-level item and include

signatures

defining groups inside it.

I tried that, adding yara to top of congif file worked. I am still getting no output when i use this: SELECT path, count from YARA where path='C:\test' AND sig_group="sig_group_1";

I would like to confirm if you are providing the filename as

sigfile

or the absolute path name? The query should be like:

select * from yara where path like '%' and sigfile='test.yara'

.