Import custom behavioral and YARA scanner rules

Import the custom rule files into Advanced Threat Defense. You can import a maximum of two YARA rules versions. The second version that you upload becomes the Current file, and renders the first version the Backup files. Advanced Threat Defense applies the rules in the Current DAT file for malware detection.

Task

  1. Log on to the Advanced Threat Defense web interface.
  2. Click ManageImage & Software Incremental Updates.
  3. Click the YARA Rules tab.
  4. Next to Upload File, click Browse, then locate and open the YARA file.
  5. In the pop-up window, select the YARA file type.
  6. Click Upload.
    If there are syntax errors in the file, Advanced Threat Defense displays the Uploaded file contains invalid Custom Behavioral Rules. Please check system log for more details. message.
    If you delete the Current YARA rule file, the Backup file replaces the Current file. To reinstate the Current file, click Revert.

Load-balancing scenario

Manually upload the Custom Yara Scanner files on these nodes:

  • Primary
  • Secondary
  • Backup
On the primary node, click PolicyAnalyzer Profile, select the analyzer profile, then click Edit. Enable Custom Yara Scanner.