One-Time YARA Investigation

Step 1: Log into Trend Micro Apex Central

• Open your web browser and access the Trend Micro Apex Central console.
• Enter your credentials and sign in.

Step 2: Navigate to Live Investigation

• From the main menu, go to Response → Live Investigation.
• Select the One Time Investigation tab.

Step 3: Create a New Investigation

• Click on New Investigation.
• Enter a descriptive Name for the investigation.

Step 4: Configure YARA Scan Method

• In the Method dropdown, choose Scan in-memory processes using YARA.
• Upload your YARA rule file (.yar or .yara format) when prompted.
• Review the preview of the uploaded YARA file to confirm it contains valid rules.

Step 5: Select Target Endpoints

• Click Select Endpoints.
• Choose Windows endpoints with Security Agents and Endpoint Sensor enabled.

Step 6: Start the Investigation

• Click Start Investigation.
• Monitor the progress and status in the One Time Investigation tab.

Scheduled YARA Investigation

Step 1: Access Scheduled Investigation

• Navigate to Response → Live Investigation.
• Click the Scheduled Investigation tab.

Step 2: Create a New Scheduled Investigation

• Click New Investigation.
• Provide a Name for the scheduled scan.

Step 3: Configure YARA Scan

• Select Scan in-memory processes using YARA as the method.
• Upload your YARA rule file (.yar or .yara).
• Select target Windows endpoints with Security Agents.

Step 4: Set Schedule Parameters

• Define the Period (start and end dates). Default is one month.
• Set the Frequency (e.g., daily at 08:00).

Step 5: Deploy Scheduled Scan

• Click Start Investigation.
• Track ongoing scans and history in the Scheduled Investigation tab.

YARA Rule File Requirements

• The file must use valid YARA syntax.
• Upload must be a single .yar or .yara file.
• Trend Micro Apex Central shows a preview after upload for validation.

Sample YARA Rule Structure

rule SuspiciousBehavior
{
    meta:
        description = "Detects suspicious memory patterns"
        author = "Security Team"
    strings:
        $pattern1 = "malicious_string"
        $pattern2 = { 6A 40 68 00 30 00 00 }
    condition:
        any of them
}

Monitoring and Analyzing Results

• View details such as endpoint name, OS, user context, and match timestamp.
• Root Cause Analysis is available only for YARA rule matches in Live Investigations.
• Use the investigation screens to monitor progress, including percentage complete and elapsed time.

Important Considerations

• YARA scanning is supported only on Windows endpoints with Security Agents and Endpoint Sensor enabled.
• Scans analyze only in-memory processes, not disk files.
• Only one YARA rule file can be used per investigation.
• Memory scanning may impact endpoint performance during the scan.

Additional Actions After Detection

• Generate Root Cause Analysis to understand the sequence of events.
• Start a new Live Investigation with the same criteria.
• Isolate affected endpoints from the network if necessary.

For detailed information on configuring and running Live Investigations with YARA rules, refer to the Live Investigations documentation.

Learn more about starting one-time and scheduled investigations here:

• Starting a One-time Investigation
• Starting a Scheduled Investigation

For additional details on supported IOC indicators for Live Investigations, see Supported IOC Indicators for Live Investigations.