[BSH] Quick Tip: YARA Scanning Files

YARA is an advanced string searching tool designed to assist malware researchers in identifying malware samples. Its extremely versatile, allowing analysts to scan a variety of file types both on disk or in memory, to quickly highlight pre-identified malicious indicators and classify the files.

I’ve created a bash script to make it easier to scan files and directories with the variety of different rules provided by the YARA rule repository found on GitHub. It’s been written and tested on Ubuntu 18.04 but should work on other versions also. This gives you a terminal menu to quickly select and scan based on the indexes provided like below:

The script has a built in dependency checker which will install YARA, download the rule pack and setup the environment. This requires internet connectivity.

The script can be found at the following:


All that is required is to download the script, place it in a $PATH recognised location eg. /usr/local/bin, then give execution rights (chmod +x mcbyara) and you are good to go.

The commands are as follows:

Single file: mcbyara -f <file>

Directory: mcbyara -d <dir>

This will then scan your input with your chosen set of YARA rules and output a list of matches like below:

The script also sets up a custom option which allows you to develop and test your own rules which can then be added to your security toolsets as required. To use the custom option, just add your rule to the custom directory found within the yara home directory. The default home directory is $HOME/yara. This can be changed by editing the YARA_PATH variable in the script. Once you’ve added your rule, update the custom_index.yar file to include your rule and you’re good to go.

This script has been created to run with the YARA repository as it is now so it may need tweaking if the rules change.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s