YAREX was created to optimize file-system-wide YARA scans, that are taking ages, even on higher end machines. It is a user-friendly script designed to simplify those scans, with interactive prompts.
- β»οΈ Automatic rules updates: Fetches the latest YARA rules from YARA Forge.
- π Locations: Specify directories to scan.
- π« Exclusions: Select specific file types to exclude from scans to make them more efficient.
- π¨ Parameters: Max file size, rule set to use, compile rules
- π Reporting: Generates a CSV report with the findings. Rule name / File Path / SHA256 hash
- π Extracting: Extracts the suspected files.
All of those features are customizable and/or optional. You can use the --extract argument to the command to automatically extract files at the end of the scan without prompting the user.
brew install coreutils
brew install yarasudo apt-get update
sudo apt-get install yaragit clone https://github.com/hbourget/yarex.git
cd yarex
chmod +x yarex.shStart PowerShell as administrator
git clone https://github.com/hbourget/yarex.git
cd yarexThe binary is already included in the project, under the /bin directory.
Refer to the YARA GitHub repository for more installation instructions.
| Scan Type | Recommended File Size Limit |
|---|---|
| Fast scanning (low impact) | 10MB β 50MB |
| Balanced performance & quality | 100MB β 250MB |
| Thorough scanning (higher resource usage) | 500MB β 1GB |
| Deep scan (will be very long) | No limit (not recommended) |
You have to convert those values in bytes (binary)! https://www.gbmb.org/mb-to-bytes
| Need | Rule set | Description |
|---|---|---|
| Fast scan (Low system impact) | Core | Covers essential malware families and threats with minimal overhead. Best for routine monitoring and endpoint scans. |
| Balanced scan (More coverage, reasonable performance) | Extended | Includes everything from Core + additional signatures for wider threat detection. |
| Deep scan (High resource use, exhaustive search) | Full | Covers all known threats, including rare and advanced malware. Suited for forensic investigations. |
Exclusions are managed via .inm files located in the ./inames directory. The goal of this is to remove those types of files from the scan, that can cause bottleneck.
π¦ Archives (archives.inm) .zip, .rar, .tar, .gz, .7z, .bz2, .xz, .cab, .tgz
π΅ Audios (audio.inm) .mp3, .wav, .aac, .flac, .ogg, .wma, .m4a, .alac, .opus, .amr
π₯οΈ Virtual machines (vm.inm) .ova, .ovf, .vhd, .vhdx, .vmdk, .vdi, .qcow2, .raw, .img
ποΈ Databases (databases.inm) .sql, .db, .sqlite, .sqlite3, .accdb
πΌοΈ Image Files (images.inm) .jpg, .jpeg, .png, .gif, .bmp, .tiff, .webp, .svg, .heic, .ico
π₯ Video Files (video.inm) .mp4, .mkv, .avi, .mov, .wmv, .flv, .webm, .m4v, .3gp, .mpeg, .mpg
Run the YAREX script with privileges:
sudo ./yarex.shRun Powershell as administrator and temporarily bypass the powershell restrictions :
Set-ExecutionPolicy Unrestricted
./yarex.ps1
The script is interactive and will prompt you with options.
This project is licensed under the MIT License.