YAREX was created to optimize file-system-wide YARA scans, that are taking ages, even on higher end machines. It is a user-friendly script designed to simplify those scans, with interactive prompts.
- ♻️ Automatic rules updates: Fetches the latest YARA rules from YARA Forge.
- 📁 Locations: Specify directories to scan.
- 🚫 Exclusions: Select specific file types to exclude from scans to make them more efficient.
- 🔨 Parameters: Max file size, rule set to use, compile rules
- 📊 Reporting: Generates a CSV report with the findings. Rule name / File Path / SHA256 hash
- 🔍 Extracting: Extracts the suspected files.
All of those features are customizable and/or optional. You can use the --extract argument to the command to automatically extract files at the end of the scan without prompting the user.
brew install coreutils
brew install yarasudo apt-get update
sudo apt-get install yaragit clone https://github.com/hbourget/yarex.git
cd yarex
chmod +x yarex.shStart PowerShell as administrator
git clone https://github.com/hbourget/yarex.git
cd yarexThe binary is already included in the project, under the /bin directory.
Refer to the YARA GitHub repository for more installation instructions.
| Scan Type | Recommended File Size Limit |
|---|---|
| Fast scanning (low impact) | 10MB – 50MB |
| Balanced performance & quality | 100MB – 250MB |
| Thorough scanning (higher resource usage) | 500MB – 1GB |
| Deep scan (will be very long) | No limit (not recommended) |
You have to convert those values in bytes (binary)! https://www.gbmb.org/mb-to-bytes
| Need | Rule set | Description |
|---|---|---|
| Fast scan (Low system impact) | Core | Covers essential malware families and threats with minimal overhead. Best for routine monitoring and endpoint scans. |
| Balanced scan (More coverage, reasonable performance) | Extended | Includes everything from Core + additional signatures for wider threat detection. |
| Deep scan (High resource use, exhaustive search) | Full | Covers all known threats, including rare and advanced malware. Suited for forensic investigations. |
Exclusions are managed via .inm files located in the ./inames directory. The goal of this is to remove those types of files from the scan, that can cause bottleneck.
📦 Archives (archives.inm) .zip, .rar, .tar, .gz, .7z, .bz2, .xz, .cab, .tgz
🎵 Audios (audio.inm) .mp3, .wav, .aac, .flac, .ogg, .wma, .m4a, .alac, .opus, .amr
🖥️ Virtual machines (vm.inm) .ova, .ovf, .vhd, .vhdx, .vmdk, .vdi, .qcow2, .raw, .img
🗄️ Databases (databases.inm) .sql, .db, .sqlite, .sqlite3, .accdb
🖼️ Image Files (images.inm) .jpg, .jpeg, .png, .gif, .bmp, .tiff, .webp, .svg, .heic, .ico
🎥 Video Files (video.inm) .mp4, .mkv, .avi, .mov, .wmv, .flv, .webm, .m4v, .3gp, .mpeg, .mpg
Run the YAREX script with privileges:
sudo ./yarex.shRun Powershell as administrator and temporarily bypass the powershell restrictions :
Set-ExecutionPolicy Unrestricted
./yarex.ps1
The script is interactive and will prompt you with options.
This project is licensed under the MIT License.