A multithreaded many-rules to many-files YARA scanner for incident response or malware zoos
YARA installed and Python 3.0-3.5 with the Yara-Python package
pip install yara-python
Yara-Python requires Microsoft Visual C++ Build Tools available here under 'Build Tools for Visual Studio 2017' and the Yara binaries, available here or here
Alternatively, you can download an easy installer which should download everything you need for your version of Python here (only supports up to Python 3.5)
To run with default settings, just specify a folder for .yar rules and a starting point for files to scan. All directories for both inputs are scanned recursively
pyarascanner.py C:\Yara_Rules_Path C:\Scan_Directory
Full syntax:
pyarascanner.py [-h] [-e] [-a] [-l LOG] [-m MAXSIZE] [-c CORES] [-x EXISTING_RULES] rules_path scan_path
- -h show this help message and exit
- -e Show all errors
- -a Show alerts only
- -l LOG Output to specified log file
- -m MAXSIZE Set maximum file size (MB)
- -c CORES Number of cores to use (defaults to number on system if unspecified)
- -x EXISTING_RULES If specified, look for .rules file in same path as script
- Problematic files can cause a hang in the multiprocessing with each thread needing to finis
- Only scan results are logged, no script messages (including yara compiling)
- Yara-Python - The awesome python implementation of awesome YARA rules