Online Platform
Tools

YARA Rules: Malware Scanning Commands

Published  ·  15 min read

You have a suspicious file on your system. You have run antivirus scans and nothing was found. You know something is wrong, but your tools say everything is clean.

This is exactly when YARA rules become your best friend.

YARA is a pattern-matching tool designed to help malware researchers identify and classify malicious files. It is not an antivirus replacement. It is a precision tool for finding specific threats that other tools miss.

I will explain how YARA works and provide practical commands and real-world examples for you to get started today.

LEGAL WARNING 

This guide is for educational purposes only and for legitimate security research purposes only. YARA is an invaluable tool for scanning files and systems for malware. Using YARA on systems that you do not own or for which you do not have explicit permission to test is against the law.

Before using YARA, you agree to:
1. Only scan systems that you own. 
2. Only scan systems for which you have written permission from the owner. 
3. Scan systems for approved and legitimate reasons (security research, incident response, authorized testing)

DO NOT USE YARA ON:
1. Any system that you do not own.
2. Any system on which you do not have written permission to scan.
3. Government, military, or other sensitive systems unless you have proper authorization to do so.

This guide is intended for use by security professionals, incident responders, and malware researchers who are acting legitimately.

What is YARA and why use it

YARA identifies malware using its patterns, either textually or in binary, based on the rules you create by specifying criteria of what you want to see. YARA scans files against these rules and returns all files matching your criteria. It is easy to use, very fast, and flexible.

Why do you need YARA? 

Your antivirus software may not have detected the malware because it does not yet have that particular signature defined; with YARA, you can develop custom rule sets for identifying malware samples that have not yet been defined in any other database (this is particularly useful when the malware sample has a low prevalence or is the only known instance). 

You can also use YARA to perform investigations for specific malware families or to identify indicators of compromise (IOCs) associated with those families, as well as to search for hidden threats on your networks.

Installation of YARA

YARA is available for Windows, Linux and MacOS
Linux (Debian/Ubuntu):

sudo apt-get install yara

Linux (Redhat/Fedora):

sudo dnf install yara

MacOS - via Homebrew:

brew install yara

Windows:
Download the YARA installer from the YARA Github repository or you can use Chocolatey:

choco install yara

How to check if YARA Has Been Installed:

yara --version


This command shows you the version number of YARA that you have installed.

Gaining a Basic Understanding of a YARA Rule

A YARA Rule is a text formatted file that describes something that you want to be able the detect when you write your rule. The YARA Rule has a simple structure to learn.

The Basic Structure of a YARA Rule looks like:

rule RuleName
{
    meta:
        description = "What this rule detects"
        author = "Your Name"
        date = "2026-06-21"
    strings:
        $string1 = "malware.exe"
        $string2 = "evil.com"
    condition:
        $string1 or $string2
}

Breaking it Down:
1. The RuleName (eg. <RuleName>) is the unique name that you assign your rule.
2. The meta section will contain metadata about the rule (this information is not looked at for the purpose of determining a detection).
3. The strings section is the list of patterns that you want to find.
4. The condition section tells YARA when to use your rule for matching.

Common String Types:
The Strings that can be defined in YARA can be defined as follows:
1. Text strings - Plain text patterns (ie.  malware.exe)
2. Hexadecimal - Hexadecimal numbers ({ 4D 5A 90 00 }) - Samples to match the MZ Header.
3. Regular Expression
4. Wide - Unicode Text

Example of a Simple Rule to Detect the MZ Header of a PE File:

rule IsPE
{
    strings:
        $mz = { 4D 5A }
    condition:
        $mz at 0
}

In the example above, you have a rule that will match any files that have 4D 5A in position 0, which is the MZ header for Windows executable files.

Essential YARA Scanning Commands

Command 1: Simple File Scan

YARA is primarily utilized to scan a single file using a specific rule:
yara rule_file.yar suspicious_file.exe

Example:

yara detect_pe.yar malware_sample.exe

If YARA detects any matching rule in your specified files, it will return the names of the rules and names of the files scanned. However, if there are no matching rules, YARA will not provide any output.

Command 2: Scan a Directory

To perform a search through all files in one or multiple folders:

yara rule_file.yar /path/to/directory/

Example:

yara detect_malware.yar /home/user/suspicious_files/

YARA scans all files contained within the directory and all sub-directories.

Command 3: Scan with Multiple Rules

You have the ability to compile multiple rules into a single file and scan that single file with all of the corresponding rules:

yara rules_collection.yar suspicious_file.exe

For example, you may use the following example rule collection file (rules_collection.yar):

rule Rule1
{
    strings:
        $a = "malware"
    condition:
        $a
}

rule Rule2
{
    strings:
        $b = { 4D 5A }
    condition:
        $b at 0
}

YARA will perform the processing of both of the rules against the file and return any found matches back to you.

Command 4: Display Matched Strings

When using the -s option you can display matched strings as follows:

yara -s rule_file.yar suspicious_file.exe

Results example:

Name of the RULE suspicious_file.exe
0x00001234:$string1 "malware.exe"
0x00005678:$string2 "evil.com"

As shown in the above example, you can see which strings matched and where they occurred in the scanned file.

Command 5: Display Matching Rule Metadata

When using the -m option you can display the metadata associated with the matching rule, for example:

yara -m rule_file.yar suspicious_file.exe

Results example:

SUSPICIOUS_FILE.EXE [author: 'your name' description: "this one detects malware"]

This information can be used to help understand how the matching rule was matched.

Command 6: Scanning with Multiple Rules in a Directory

If you have more than one rule file located in a directory, you can use the command below to review all of them:

yara -r /path/to/rules/directory/ suspicious_file.exe

YARA will load every .yar file that exists within the specified directory and within any directories existing beneath this directory.

Command 7: Scanning a currently running process on a Linux system

YARA can also be used to view running processes executing on the Linux operating system.

yara -p PID rule_file.yar

As an example, the below command will view the currently executing malware in memory associated with PID 1234:

yara -p 1234 detect_malware.yar

Command 8: Scanning a currently running process on a Windows system

YARA can also be used to view running processes executing on a Windows operating system using the following command:

yara32 -p PID rule_file.yar

As an example, the below command will view the currently executing malware in memory associated with PID 5678:

yara32 -p 5678 detect_malware.yar

Command 9: Scan With Namespace Option.

If you use the -n flag, the output will include only the names of the matching rules but will not include the names of the files in which those rules were found:

yara -n rule_file.yar suspicious_file.exe

When you are only interested in which rules matched, and not about the files that contain them, this command will help.

Command 10: Scanning & Ignoring Warnings

To suppress all warning messages, the -w flag can be used with Yara when executing a command:

yara -w rule_file.yar suspicious_file.exe

This option can be particularly helpful when scanning through large directories with many files.

YARA Rules Examples of Helpful Formats

Example 1: Finding a file that has the string "malware.exe"

The first example of a sample rule shows how it is possible to determine if any file has this string:

rule DetectMalwareExecutable
{
    strings:
        $malware = "malware.exe"
    condition:
        $malware
}

Example 2: Check if a certain file type is an executable file type (PE Format)

The second example of a sample rule demonstrates how to see if a file is an executable file type (Windows):

rule DetectPE
{
    strings:
        $mz = {4D 5A}
        $pe = {50 45 00 00}
    condition:
        $mz at 0 and $pe at 0x3C
}

The above example verifies that the MZ Header is present when viewed as hexadecimal representation along with the PE Header at it's proper offset + 60.

Example 3: Checking for 3 different strings in a file

The third example of a sample rule identifies some particular file as containing at least one of the three different strings below (they can be considered a potential security matter):

rule DetectSuspicious
{
    strings:
        $cmd = "cmd.exe"
        $powershell = "powershell.exe"
        $download = "downloadstring"
    condition:
        $cmd or $powershell or $download
}

Example 4: Identifying any file as having size greater than 1 MB

The fourth example of a sample rule identifies any file as being greater than or equal to 1 MB in size.

rule DetectLargeFile
{
    condition:
        filesize > 1MB
}

Example 5: Finding Emotet Malware

This is a clear-cut example of a rule for locating the Emotet malware.

rule Emotet
{
    meta:
        description = "Detects Emotet malware"
        author = "Security Researcher"
    strings:
        $string1 = "Emotet"
        $string2 = { 72 6F 73 74 65 72 }
    condition:
        $string1 or $string2
}

Example 6: Finding a Domain

This rule allows you to identify any file that contains the specific malicious domain.

rule DetectMaliciousDomain
{
    strings:
        $domain = "malicious-domain.com"
    condition:
        $domain
}

Example 7: Detecting Data Encrypted Using XOR

This rule will detect data that may have been encrypted with XOR, using a key of 0×42.

rule DetectXOR
{
    strings:
        $xor_data = { 42 42 42 42 }
    condition:
        $xor_data
}

Example 8: Detecting JavaScript Malware

Detects files that contain javascript from a suspicious domain and contains the use of the eval() function.

rule JS_Malware
{
    strings:
        $eval = "eval"
        $domain = "evil.com"
    condition:
        $eval and $domain
}

Real-World Scenarios

Use Case 1: Incident Reaction

You are looking into an alleged breach in your system. You have collected a number of files related to the attack, and you would like to determine whether any of these files are known to be infected with malicious malware.

How to proceed:
Produce a list of YARA signatures to scan the collected files, which contain all the signatures generated for malware families that target the same industry as your own. 

Then perform a YARA scan on every file that was collected.

yara malware-signatures.yar <path to collected files>

Use Case 2: Searching For Threats

In this scenario, you are scanning your network for evidence of a specific threat before an event occurs. You learned of a new malware attack that is directed at your organization.

How to proceed:
Produce YARA rules that encompass the known attributes of this new malware and do a YARA scan on your entire file directory (Figure A).

yara -r threat_hunting.yar /home/

Use Case 3: Examining Malware

You are attempting to identify patterns of known malware within the suspicious file you are looking into.

Follow the instructions below:
Use the strings you have located in the suspicious file to create a rule and then scan the suspicious file against the rule created.

In this case, you will use the command as follows:

yara custom_rule.yar suspicious_file.exe

Use Case 4: Memory Forensics

You are in the process of reviewing a memory dump from an infected computer in order to locate any malware that is actively operating in memory.

To do this, run Volatility to dump the list of running processes, then run YARA against the image for each process.

yara -p <PID> malware_signatures.yar

Tips for Effective YARA Scanning

Start simple.
Write a rule with a single string first. Test it on a known malicious file. Once it works, add more complexity.

Utilize meta fields.
A set of meta data, should accompany all of the rules so that you understand what the corresponding rule matched and the reason for the match.

Validate your rules.
Before scanning an asset, test your set of rules from a collection of benign files first, to reduce false positive results.

Use multiple tools in conjunction with YARA.
YARA is highly compatible with other security solutions. For greater effectiveness, employ additional tools, including antivirus/antimalware, endpoint detections, and SIEM solutions, in conjunction with YARA.

Keep your rules updated.
With new malware being created each day, you should be frequently updating your command-base of rules.

Include the -r flag for recursive directory scanning.
When performing directory scans, you can use -r to have YARA scan all subdirectories automatically.

Include the -s flag for debug scanning.
When a rule has an unexpected match against an object, you can apply the -s flag before running it, to see what strings were matched within that rule.
Troubleshoot Misconceptions

YARA does not detect anything.
The rule may not be appropriate. Double check the strings and the way in which the rule conditions are established. You can also scan a previously known virus infected file to verify the rule is working correctly.

Many false positives.
Your rule is too broad. Lower the specificity of your rule. Specify the position in your rule by using the 'at' keyword.

It may take a while to complete scans with YARA.
Most likely a scan of hundreds of thousands of files will consume more than the average time for a single scan. When performing recursive scans, or using -r, on large numbers of files be prepared for potential long delays. Scanning entire hard drive partitions for possible matches should be done by using directory hierarchy.

Syntax error in YARA.
Due to the strict syntax requirements of YARA a single missing brace '{', quotation mark '"', semi-colon ';' or the incorrect combination thereof can lead to an error condition that prevents YARA from evaluating the rule correctly. Therefore, you should always use a text editor capable of highlighting syntax errors.

More Resources

Official YARA Documentation:
1. Official Website: https://yara.readthedocs.io
2. GitHub Repository: https://github.com/VirusTotal/yara

YARA Rule Repositories:
1. Yara-Rules Community: https://github.com/Yara-Rules/rules
2. Comprehensive YARA Rules: https://github.com/sivolko/comprehensive-yara-rules
3. Cyber Threat Defense Center Rules: https://github.com/cybersecurity-dev/CyberThreatDefenseCenter-Yara-Rules

External Resources:
CISA YARA Fact Sheet: https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_YARA_S508C.pdf

The Bottom Line

YARA is a must-have tool for all security analysts that want to identify malware which bypasses conventional antivirus products.

You can scan single files, folders and even processes running on a machine. You can create your own rules for different types of threats. It can be used for incident response, threat hunting and for analysing malware.

Start with simple rules. Test them on known malware. Gradually build a library of rules for the threats you care about most.

Remember, YARA is a precision tool. It is not a replacement for antivirus. It is a complement that gives you capabilities your antivirus does not have.

FAQ Section

What is YARA's purpose in relation to cybersecurity?

YARA Allows detection and classification of malware based on pattern matching. Security experts utilize YARA in incident response, threat hunting malware analysis and to generate custom detection rules for possible malware detection by antivirus solutions.

How do I create my first YARA rule?

To create your first YARA rule, you need to define a text-based rule structure (refer to the guidelines in the previous question). You should also begin with a simple string match and will be able then to verify against an already-known malicious file using yara command-line tool. Once you are familiar with writing YARA rules, you can increase the complexity of your rules.

Can YARA be used to scan the memory of currently running processes?

Yes. YARA can scan the memory of any currently running process regardless of operating system; in this example it could be either Linux or Windows OS. Simply provide the -p option and specify the process ID to scan the process's memory. This is valuable for detection of malware which may not have been written to disk or may be executing from a location that is only in RAM.

What distinguishes antivirus software from YARA?

Antivirus relies upon signature databases and heuristic methods to identify existing malicious software while on the other hand YARA provides a means to develop your own pattern matching algorithms for anything you would like to detect. YARA does not replace antivirus but rather supplements it.

Where can I download pre-existing YARA code?

There are numerous locations on the web where free source code can be downloaded such as YARA's repository on Github along with many repositories operated by independents that specialize in security research. It’s always best to create your own rules tailored to your particular environment as opposed to borrowing rules from anywhere else; you should always thoroughly test any new code before deploying it into a production setting.

Keywords
Share LinkedIn
Gravity SMTP Vulnerability Under Active Attack Exploits

Gravity SMTP Vulnerability Under Active Attack

Jun 21, 2026
Gentlemen Ransomware EDR Killers Target Defenses Hacking

Gentlemen Ransomware EDR Killers Target Defenses

Jun 21, 2026
Recover SEO Rankings After Website Hack Awareness

Recover SEO Rankings After Website Hack

Mar 25, 2026
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

Website Recovery Malware removal & incident response
Penetration Testing Authorised attack simulation
Vulnerability Assessment Identify & prioritise weaknesses
Secure Web Development OWASP-aligned, pen tested
Red Teaming Advanced adversary simulation

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067

This website uses cookies to ensure you get the best experience on our website. We need your consent to show personalized or non-personalized ads, and to use cookies for analytics purposes. By clicking "Accept", you consent to the use of cookies and the collection of data as per our Privacy Policy.