YARA

Rule-based malware analysis tool From Wikipedia, the free encyclopedia

YARA is a tool primarily used in malware research and detection.

DesignedbyVictor Alvarez
Firstappeared2013
Stable release
4.5.5[1] Edit this on Wikidata / 30 October 2025; 4 months ago (30 October 2025)
Filename extensions.yara
Quick facts Designed by, First appeared ...
YARA
Designed byVictor Alvarez
First appeared2013
Stable release
4.5.5[1] Edit this on Wikidata / 30 October 2025; 4 months ago (30 October 2025)
Filename extensions.yara
Websitevirustotal.github.io/yara Edit this at Wikidata
Close

It provides a rule-based approach to create descriptions of malware families based on regular expression, textual or binary patterns. A description is essentially a YARA rule name, where these rules consist of sets of strings and a Boolean expression.[2]

Analysts write YARA rules to capture the DNA of malware families, persistent elements like code fragments, configuration strings, and structural patterns expressed as text, hex sequences, or regex with Boolean logic. This signature-based detection survives file mutations that defeat hash matching, enabling identification of variants and related samples across large datasets[3].

History

YARA was originally developed by Victor Alvarez of VirusTotal and released on GitHub in 2013.[4] The name is an abbreviation of YARA: Another Recursive Acronym or Yet Another Ridiculous Acronym.[5] In 2024, Alvarez announced that YARA would be superseded by a rewrite called YARA-X, written in Rust.[6] A first stable version of YARA-X was released in June 2025, marking the passage of the original YARA into maintenance mode.[7]

Design

YARA by default comes with modules to process PE, ELF analysis, as well as support for the open-source Cuckoo sandbox.

See also

References

External links

Related Articles

Wikiwand AI