Skip to content

Instantly share code, notes, and snippets.


YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them. This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

  • Revision 1.4, October 2020, applies to all YARA versions higher than 3.7

The Basics

To get a better grip on what and where YARA performance can be optimized, it's useful to understand the scanning process. It's basically separated into 4 steps which will be explained very simplified using this examples rule:

ruppde /
Last active May 17, 2021
keybase proof

Keybase proof

I hereby claim:

  • I am ruppde on github.
  • I am ruppde ( on keybase.
  • I have a public key ASDDo4bMf2-LVxlGHrume54I4WZQsCK8rOqi9wcxIDeGcQo

To claim this, I am signing this object: