Using YARA rules for advanced malware detection in Oxygen Remote Explorer.

July 10, 2024

Unlock Advanced Malware Detection with YARA Rules in Oxygen Remote Explorer. Learn how to pinpoint security threats efficiently.

The background of the image subtly suggests a corporate setting, with elements like blurred office environment or digital security-related graphics to reinforce the theme of digital investigations and malware detection.

Now you can use YARA rules when searching for malware patterns and other security threats in Oxygen Remote Explorer.

YARA rules are a powerful malware research and detection tool for scanning and identifying patterns within files or memory. A YARA rule is a logical expression based on textual or binary patterns, which can be written by a user. A YARA rule starts with a rule identifier, which is a unique name created for the rule. It is case sensitive, cannot include spaces or YARA keywords, or start with a numerical value.

Rule’s description, which determines how rule works, contains three sections: meta, strings and condition. Meta section is used to add details about the rule, in the strings section a variable is declared, and its value is set, and in the condition section an expression using logical operators is written, indicating what the rule is to detect.

The capabilities of YARA rules to search for specific patterns are valuable for detecting and analyzing malware, security threats or pinpointing a diverse array of digital artifacts.

With these capabilities in mind, YARA rules are often instrumental in aiding digital investigations, and particularly corporate incidents. Considering this, we have added the ability to search by YARA rules when using Oxygen Remote Explorer.

Oxygen Remote Explorer is a software designed to aid in investigations of corporate incidents. It is a comprehensive tool used for extracting and analyzing data from workstations, mobile devices, and cloud services.

How to search using YARA rules in Oxygen Remote Explorer

In Oxygen Remote Explorer, all remote extractions are performed via the Agent Management Center. There, endpoints are added to the single database, from which all extractions can be initiated. Profiles are created and used to specify data for extraction. Pre-set task templates include all necessary parameters. To add a new profile, open the “Profiles” section and click “Create Profile” to open the Extraction Configuration tool.

Open the “YARA” tab to create YARA rules to be used in the Files section, which will then detect files matching those rules. Previously created YARA rules, are displayed in this section.

screenshot of creating a extraction configuration in Oxygen Remote Explorer

To add a rule, click on the “Add Rule” button. This opens the YARA Editor window, in which a rule can be created and saved. The editor will identify detected syntax errors. The YARA Editor window closes when the rule is written correctly. Existing YARA rules can be used in other search profiles or included in additional filtering criteria.

Screenshot of creating YARA rules within the extraction configuration in Oxygen Remote Explorer

To apply the rules and save the profile, click “Save”.

Interested in this capability? Contact us.

By submitting a form you are agreeing to our Privacy Policy.