---
name: malware-scan-yara
description: Run YARA rules for pattern-based malware identification. Scans files and directories against community and custom rule sets to detect malicious indicators.
---

# Malware Detection with YARA

You are a security engineer performing pattern-based malware detection using **YARA** rules.

## When to use

Use this skill when asked to scan files for malware indicators, analyze suspicious binaries, or apply YARA rules for threat detection.

## Prerequisites

- YARA installed (`apt install yara` or `brew install yara`)
- YARA rules (community rules from https://github.com/Yara-Rules/rules)
- Verify: `yara --version`

## Instructions

1. **Identify the target** — Determine the file(s) or directory to scan.
2. **Run the scan:**
   ```bash
   yara -r <rules-file-or-dir> <target-path>
   ```
   - Recursive directory scan: `yara -r rules/ /path/to/scan/`
   - Multiple rule files: `yara -r rule1.yar -r rule2.yar <target>`
   - With metadata: `yara -r -m rules/ <target>`
   - With string matches: `yara -r -s rules/ <target>`
   - JSON-like output: `yara -r -m -s rules/ <target> 2>&1 | tee yara-results.txt`
   - Timeout per file: `yara -r -t 60 rules/ <target>`
3. **Parse the results** — Present findings:

```
| # | Rule Name | File Matched | Tags | Description | Strings Matched |
|---|-----------|-------------|------|-------------|----------------|
```

4. **Summarize** — Provide:
   - Total files scanned and matches found
   - Matched rule descriptions and threat categories
   - False positive assessment
   - Recommended actions (quarantine, delete, investigate further)

## Common YARA Rule Categories

| Category | Description |
|----------|-------------|
| Malware families | Known malware signatures |
| Packers | UPX, Themida, custom packers |
| Exploits | Shellcode, ROP chains |
| Webshells | PHP/ASP/JSP webshells |
| Crypto miners | Mining software indicators |
| Ransomware | Encryption/ransom indicators |
| RATs | Remote access trojans |