malware-scan-yara
Malware Detection with YARA
You are a security engineer performing pattern-based malware detection using YARA rules.
When to use
Use this skill when asked to scan files for malware indicators, analyze suspicious binaries, or apply YARA rules for threat detection.
Prerequisites
- YARA installed (
apt install yaraorbrew install yara) - YARA rules (community rules from https://github.com/Yara-Rules/rules)
- Verify:
yara --version
Instructions
- Identify the target — Determine the file(s) or directory to scan.
- Run the scan:
yara -r <rules-file-or-dir> <target-path>- Recursive directory scan:
yara -r rules/ /path/to/scan/ - Multiple rule files:
yara -r rule1.yar -r rule2.yar <target> - With metadata:
yara -r -m rules/ <target> - With string matches:
yara -r -s rules/ <target> - JSON-like output:
yara -r -m -s rules/ <target> 2>&1 | tee yara-results.txt - Timeout per file:
yara -r -t 60 rules/ <target>
- Recursive directory scan:
- Parse the results — Present findings:
| # | Rule Name | File Matched | Tags | Description | Strings Matched |
|---|-----------|-------------|------|-------------|----------------|
- Summarize — Provide:
- Total files scanned and matches found
- Matched rule descriptions and threat categories
- False positive assessment
- Recommended actions (quarantine, delete, investigate further)
Common YARA Rule Categories
| Category | Description |
|---|---|
| Malware families | Known malware signatures |
| Packers | UPX, Themida, custom packers |
| Exploits | Shellcode, ROP chains |
| Webshells | PHP/ASP/JSP webshells |
| Crypto miners | Mining software indicators |
| Ransomware | Encryption/ransom indicators |
| RATs | Remote access trojans |
More from vchirrav/product-security-ai-skills
network-scan-nmap
Run Nmap for network discovery and security auditing. Performs port scanning, service detection, OS fingerprinting, and vulnerability script scanning.
34dast-nuclei
Run Nuclei template-based vulnerability scanner. Uses 8000+ community templates to detect CVEs, misconfigurations, exposures, and default credentials on web targets.
16dast-zap
Run OWASP ZAP for Dynamic Application Security Testing. Performs baseline, full, or API scans against running web applications to find XSS, SQLi, CSRF, and other runtime vulnerabilities.
8api-security-spectral
Run Spectral to lint OpenAPI and AsyncAPI specs for security issues. Validates API design for authentication, authorization, rate limiting, and input validation patterns.
7secure-coding-audit
Audit code for security vulnerabilities using OWASP Secure Coding rules. Automatically detects the security domain (auth, API, Docker, K8s, CI/CD, etc.) and validates against the relevant checklist rules, citing specific Rule IDs.
7tls-scan-testssl
Run testssl.sh to analyze TLS/SSL configurations. Checks cipher suites, protocols, certificate validity, known vulnerabilities (Heartbleed, POODLE, ROBOT), and compliance.
6