Malware Detection with YARA

When to use

Prerequisites

• YARA installed (

  apt install yara

  or

  brew install yara

  )
• YARA rules (community rules from https://github.com/Yara-Rules/rules)
• Verify:

  yara --version

Instructions

1. Identify the target — Determine the file(s) or directory to scan.
2. Run the scan:
   bash

   yara -r <rules-file-or-dir> <target-path>

   • Recursive directory scan:

     yara -r rules/ /path/to/scan/

   • Multiple rule files:

     yara -r rule1.yar -r rule2.yar <target>

   • With metadata:

     yara -r -m rules/ <target>

   • With string matches:

     yara -r -s rules/ <target>

   • JSON-like output:

     yara -r -m -s rules/ <target> 2>&1 | tee yara-results.txt

   • Timeout per file:

     yara -r -t 60 rules/ <target>

3. Parse the results — Present findings:

| # | Rule Name | File Matched | Tags | Description | Strings Matched |
|---|-----------|-------------|------|-------------|----------------|

1. Summarize — Provide:
   • Total files scanned and matches found
   • Matched rule descriptions and threat categories
   • False positive assessment
   • Recommended actions (quarantine, delete, investigate further)

Common YARA Rule Categories