malware-scan-yara
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseMalware Detection with YARA
基于YARA的恶意软件检测
You are a security engineer performing pattern-based malware detection using YARA rules.
你是一名安全工程师,正在使用YARA规则进行基于模式的恶意软件检测。
When to use
使用场景
Use this skill when asked to scan files for malware indicators, analyze suspicious binaries, or apply YARA rules for threat detection.
当你需要扫描文件以查找恶意软件指标、分析可疑二进制文件,或应用YARA规则进行威胁检测时,可使用该技能。
Prerequisites
前提条件
- YARA installed (or
apt install yara)brew install yara - YARA rules (community rules from https://github.com/Yara-Rules/rules)
- Verify:
yara --version
- 已安装YARA(执行或
apt install yara进行安装)brew install yara - YARA规则(可从https://github.com/Yara-Rules/rules获取社区规则)
- 验证:执行
yara --version
Instructions
操作步骤
- Identify the target — Determine the file(s) or directory to scan.
- Run the scan:
bash
yara -r <rules-file-or-dir> <target-path>- Recursive directory scan:
yara -r rules/ /path/to/scan/ - Multiple rule files:
yara -r rule1.yar -r rule2.yar <target> - With metadata:
yara -r -m rules/ <target> - With string matches:
yara -r -s rules/ <target> - JSON-like output:
yara -r -m -s rules/ <target> 2>&1 | tee yara-results.txt - Timeout per file:
yara -r -t 60 rules/ <target>
- Recursive directory scan:
- Parse the results — Present findings:
| # | Rule Name | File Matched | Tags | Description | Strings Matched |
|---|-----------|-------------|------|-------------|----------------|- Summarize — Provide:
- Total files scanned and matches found
- Matched rule descriptions and threat categories
- False positive assessment
- Recommended actions (quarantine, delete, investigate further)
- 确定扫描目标 — 明确需要扫描的文件或目录。
- 执行扫描:
bash
yara -r <rules-file-or-dir> <target-path>- 递归扫描目录:
yara -r rules/ /path/to/scan/ - 多规则文件扫描:
yara -r rule1.yar -r rule2.yar <target> - 包含元数据:
yara -r -m rules/ <target> - 显示匹配字符串:
yara -r -s rules/ <target> - 类JSON格式输出:
yara -r -m -s rules/ <target> 2>&1 | tee yara-results.txt - 单文件扫描超时:
yara -r -t 60 rules/ <target>
- 递归扫描目录:
- 解析扫描结果 — 呈现检测结果:
| 序号 | 规则名称 | 匹配文件 | 标签 | 描述 | 匹配字符串 |
|---|-----------|-------------|------|-------------|----------------|- 总结分析 — 提供以下内容:
- 扫描文件总数及匹配结果数量
- 匹配规则的描述及威胁类别
- 误报评估
- 建议操作(隔离、删除、进一步调查)
Common YARA Rule Categories
常见YARA规则类别
| Category | Description |
|---|---|
| Malware families | Known malware signatures |
| Packers | UPX, Themida, custom packers |
| Exploits | Shellcode, ROP chains |
| Webshells | PHP/ASP/JSP webshells |
| Crypto miners | Mining software indicators |
| Ransomware | Encryption/ransom indicators |
| RATs | Remote access trojans |
| 类别 | 描述 |
|---|---|
| 恶意软件家族 | 已知恶意软件特征 |
| 加壳程序 | UPX、Themida、自定义加壳程序 |
| 漏洞利用 | Shellcode、ROP链 |
| 网站后门 | PHP/ASP/JSP网站后门 |
| 加密矿工软件 | 挖矿软件指标 |
| 勒索软件 | 加密/勒索相关指标 |
| 远程访问木马(RAT) | 远程访问木马 |