Creating Custom Scanner Rules

Advanced users can create custom detection rules in True Protection by Jag to identify specific threats, unwanted programs, or policy violations unique to their environment.

Custom Rule Types

File Rules: Match files based on name patterns, size, hash values, or content signatures.
Behavior Rules: Detect specific process behaviors such as accessing certain registry keys, modifying system files, or communicating with specific IP addresses.
Network Rules: Flag traffic to or from specific IP ranges, domains, or ports.
YARA Rules: Import standard YARA rules for advanced pattern-based malware detection.

Creating a File Detection Rule

Step 1: Navigate to Settings > Advanced > Custom Rules.
Step 2: Click Create New Rule.
Step 3: Select the rule type (File, Behavior, Network, or YARA).
Step 4: Define the matching criteria. For file rules, you can specify file name patterns, file sizes, content strings, or hash values (MD5, SHA-1, SHA-256).
Step 5: Set the action: Alert Only, Quarantine, or Block.
Step 6: Set the severity level: Low, Medium, High, or Critical.
Step 7: Save and activate the rule.

Importing YARA Rules

True Protection supports importing YARA rule files directly. Navigate to Settings > Advanced > Custom Rules > Import YARA and select your .yar or .yara file. The rules will be compiled and added to the scanner engine immediately.

Test your custom rules by running a targeted scan against a known sample to confirm they trigger correctly before deploying them broadly.