Revamp Yara memory/file scanning #209
Labels
scope: alertsenders
Anything related to alert senders
scope: config
Anything related to config management
scope: yara
Anything related to libyara and pattern matching
Description
Presently, the Yara scanner acts on process creation and image loading events to initiate the scan. For the former event types, the memory scan is performed on the child process. However, we can expand the scan capabilities to various other signals:
We could consider executing some of these scans concurrently. When the rule match is observed, the alert is sent via registered alert senders.
The text was updated successfully, but these errors were encountered: