YARA

Last updated
YARA
Designed by Victor Alvarez
First appeared2013
Stable release
4.5.5 [1]   OOjs UI icon edit-ltr-progressive.svg / 30 October 2025;15 days ago (30 October 2025)
Filename extensions .yara
Website virustotal.github.io/yara OOjs UI icon edit-ltr-progressive.svg

YARA is a tool primarily used in malware research and detection.

Contents

It provides a rule-based approach to create descriptions of malware families based on regular expression, textual or binary patterns. A description is essentially a YARA rule name, where these rules consist of sets of strings and a Boolean expression. [2]

History

YARA was originally developed by Victor Alvarez of VirusTotal and released on GitHub in 2013. [3] The name is an abbreviation of YARA: Another Recursive Acronym or Yet Another Ridiculous Acronym. [4] In 2024, Alvarez announced that YARA would be superseded by a rewrite called YARA-X, written in Rust. [5] A first stable version of YARA-X was released in June 2025, marking the passage of the original YARA into maintenance mode. [6]

Design

YARA by default comes with modules to process PE, ELF analysis, as well as support for the open-source Cuckoo sandbox.

Algorithmic generation

Research has explored automatic construction of YARA rules from examples. One system, AutoYara, builds rules from a small set of malware files by extracting large byte n-grams and pruning generic features using entropy filters trained on a mixed benign and malicious corpus. [7]

AutoYara then applies an adaptive spectral co-clustering procedure to files and features, followed by probabilistic clustering to select groups of n-grams that tend to co-occur within subsets of the samples. The resulting rule is expressed as a disjunction of conjunctions, where strings inside each bicluster are combined with logical AND, and the biclusters are combined with logical OR. The method also chooses a threshold so that a subset of strings in a clause may be sufficient to match, which helps control false positives while keeping useful coverage. [7]

In evaluations on large malware families and on VirusTotal Retro Hunt, the approach produced rules with very low false positive rates and practical true positive rates, and in several cases matched or exceeded human-written rules. A study with industry analysts reported time savings of 44 to 86 percent when the automatically generated rules were used as starting points for rule development. [7]

See also

References

  1. "Release 4.5.5". 30 October 2025. Retrieved 31 October 2025.
  2. "Welcome to YARA's documentation!". yara.readthedocs.io. Retrieved 2023-09-18.
  3. "Release v1.7.1". GitHub .
  4. Victor M. Alvarez [@plusvic] (22 September 2016). "@milliped @yararules YARA is an acronym for: YARA: Another Recursive Acronym, or Yet Another Ridiculous Acronym. Pick your choice" (Tweet) via Twitter.
  5. https://virustotal.github.io/yara-x/blog/yara-is-dead-long-live-yara-x/
  6. https://virustotal.github.io/yara-x/blog/yara-x-is-stable/
  7. 1 2 3 Raff, Edward; Zak, Richard; Lopez Munoz, Gary; Fleming, William; Anderson, Hyrum S.; Filar, Bobby; Nicholas, Charles; Holt, James (2020-11-13). Automatic Yara Rule Generation Using Biclustering. ACM. pp. 1–12. doi:10.1145/3411508.3421372.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.