YARA-X VirusTotal
winget install --id=VirusTotal.YARA-X -e YARA-X is a re-incarnation of YARA, a pattern matching tool designed with malware researchers in mind. This new incarnation intends to be faster, safer and more user-friendly than its predecessor.
YARA-X is a pattern matching tool designed for malware researchers, providing a modern rewrite of YARA with enhanced performance, safety, and usability. Built in Rust, YARA-X enables users to create detailed rules based on textual or binary patterns, leveraging wildcards, regular expressions, and boolean logic for sophisticated threat detection.
Key features include compatibility with existing YARA rule syntax, improved execution speed, robust memory safety, and an intuitive user interface. Its ability to handle complex rule sets makes it a versatile solution for identifying malware and other security threats.
Ideal for malware researchers, cybersecurity professionals, and digital forensic analysts, YARA-X empowers users to efficiently detect and analyze malicious activity through accurate pattern matching. It can be installed via winget, ensuring seamless integration into existing workflows.
README
YARA-X
YARA-X is a re-incarnation of YARA, a pattern matching tool designed with malware researchers in mind. This new incarnation intends to be faster, safer and more user-friendly than its predecessor. The ultimate goal of YARA-X is replacing YARA as the default pattern matching tool for malware researchers.
With YARA-X you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description (a.k.a. rule) consists of a set of patterns and a boolean expression which determine its logic. Let’s see an example:
rule silent_banker : banker {
meta:
description = "This is just an example"
threat_level = 3
in_the_wild = true
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}
The above rule is telling YARA-X that any file containing one of the three
patterns must be reported as silent_banker. This is just a simple example,
more complex and powerful rules can be created by using wild-cards,
case-insensitive strings, regular expressions, special operators and many other
features that you'll find explained in
the documentation.
FAQ
How does YARA-X compare to YARA?
Read this.
Which are the differences at the rule level?
Read this.
Is YARA still maintained?
Yes, it is. YARA is still being maintained, and future releases will include bug fixes and minor features. However, don’t expect new large features or modules. All efforts to enhance YARA, including the addition of new modules, will now focus on YARA-X.
What's the current state of YARA-X?
YARA-X is already mature and stable. At VirusTotal, we have been running YARA-X in production for a long time, scanning billions of files with tens of thousands of rules, and addressing discrepancies and bugs. This means that YARA-X is already battle-tested.
Please test YARA-X and don’t hesitate to open an issue if you find a bug or some feature that you want to see implemented.