macOS
brew install yaralocal Homebrew formula metadata
sudo port install yaraMacPorts ports tree · security/yara/Portfile · source: api.github.com
brew
Malware identification and classification tool. Version 4.5.5 via Homebrew; verified 2026-06-15.
install
brew install yaralocal Homebrew formula metadata
sudo port install yaraMacPorts ports tree · security/yara/Portfile · source: api.github.com
sudo apk add yaraAlpine Linux edge package indexes · yara · source: dl-cdn.alpinelinux.org
sudo apt install libyara-devDebian stable package indexes · libyara-dev · source: deb.debian.org
sudo dnf install yaraFedora Rawhide package metadata · yara · source: dl.fedoraproject.org
nix profile install nixpkgs#yaranixpkgs package indexes · pkgs/by-name/ya/yara/package.nix · source: api.github.com
sudo pacman -S yaraArch Linux sync databases · yara · source: geo.mirror.pkgbuild.com
sudo zypper install libyara-developenSUSE Tumbleweed package metadata · libyara-devel · source: download.opensuse.org
choco install yaraChocolatey community package catalog · yara · source: community.chocolatey.org
scoop install main/yaraScoop official bucket manifest trees · bucket/yara.json · source: api.github.com
winget install --id VirusTotal.YARA -eWindows Package Manager source index · VirusTotal.YARA · source: cdn.winget.microsoft.com
overview
Malware identification and classification tool
history
YARA is VirusTotal's rule-based pattern-matching tool for malware researchers and incident responders. It lets analysts describe malware families, file traits, or other detectable artifacts with strings, byte patterns, regular expressions, metadata, and boolean conditions, then scan files, directories, or process memory.
YARA's manual page dates the `yara` command to 2008-09-22 and names Victor M. Alvarez as author. The current VirusTotal GitHub repository was created on 2012-12-06, and the first GitHub release returned by the API is YARA v2.0.0 in August 2014.
The project became the pattern-matching 'Swiss knife' for malware researchers by keeping a compact rule language while adding modules, compiled rules, Python bindings, and multi-platform support. The README and official docs describe use from the command line and from Python scripts through yara-python.
In the mid-2020s, YARA's history shifted from active feature growth to maintenance. The README now points to the YARA-X stability announcement and marks the classic YARA project as maintenance mode, with new feature work moving to the Rust rewrite.
YARA's adoption is unusually broad for a command-line security tool. The upstream README maintains a long 'Who's using YARA' list that includes antivirus vendors, incident-response products, sandboxes, intelligence platforms, reverse-engineering tools, and VirusTotal itself.
Its practical appeal is portability of detection logic. A YARA rule can move from a researcher's laptop to a malware sandbox, a retrohunt service, an endpoint product, or a CI check for detection rules. That made it a common exchange format for malware-family knowledge, not just a local scanner.
Users write one or more rule files, compile them with `yarac` when useful, and run `yara` against files, directories, or PIDs. Options support namespaces, external variables, module data, metadata printing, string-match output, fast scans, warnings control, and scanning process memory in chunks.
In security operations, YARA is used for malware triage, hunting known families and variants, validating rule collections, retroactive corpus searches, sandbox classification, and embedding detection logic into larger analysis systems through libyara or yara-python.
YARA is one of the canonical examples of a domain-specific language packaged as a Unix tool. The package matters because it ships not just an executable, but a rule language, compiler, C library, Python ecosystem, and compatibility target for thousands of shared security rules.
The YARA-to-YARA-X transition is also important packaging history: a widely deployed security utility entered maintenance mode while its official successor was distributed beside it, letting package managers carry both the stable incumbent and the future implementation.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
yara | cli | global executable | |
yarac | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/VirusTotal/yara
install metadata
| Package key | brew:yara |
|---|---|
| Version | 4.5.5 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/yara |
| Homepage | https://virustotal.github.io/yara/ |
| Repository | https://github.com/VirusTotal/yara |
| Upstream docs | https://yara.readthedocs.io/en/stable |
| License | BSD-3-Clause |
| Source archive | https://github.com/VirusTotal/yara/archive/refs/tags/v4.5.5.tar.gz |
| Last updated | 2026-06-15T10:21:24-04:00 |
| Pulse | updated |
| Dependencies | jansson, libmagic, openssl@3, protobuf-c |
| Build dependencies | autoconf, automake, libtool, pkgconf |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | yara |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
libyara-dev 4.5.2-1
YARA development libraries and headers
https://virustotal.github.io/yara/
sudo apt install libyara-devlibyara10 4.5.2-1
YARA shared library
https://virustotal.github.io/yara/
sudo apt install libyara10yara 4.5.2-1
Pattern matching swiss knife for malware researchers
https://virustotal.github.io/yara/
sudo apt install yarayara-doc 4.5.2-1
HTML documentation for YARA
https://virustotal.github.io/yara/
sudo apt install yara-docyara
nix profile install nixpkgs#yaralibyara-dev 4.5.0-1build2
YARA development libraries and headers
https://virustotal.github.io/yara/
sudo apt install libyara-devlibyara10 4.5.0-1build2
YARA shared library
https://virustotal.github.io/yara/
sudo apt install libyara10yara 4.5.0-1build2
Pattern matching swiss knife for malware researchers
https://virustotal.github.io/yara/
sudo apt install yarayara-doc 4.5.0-1build2
HTML documentation for YARA
https://virustotal.github.io/yara/
sudo apt install yara-docyara 4.5.7-r0
Pattern matching swiss knife for malware researchers
https://virustotal.github.io/yara/
sudo apk add yarayara-dev 4.5.7-r0
Pattern matching swiss knife for malware researchers (development files)
https://virustotal.github.io/yara/
sudo apk add yara-devyara-doc 4.5.7-r0
Pattern matching swiss knife for malware researchers (documentation)
https://virustotal.github.io/yara/
sudo apk add yara-docyara 4.5.7-1.fc45
Pattern matching Swiss knife for malware researchers
https://VirusTotal.github.io/yara/
sudo dnf install yarayara-devel 4.5.7-1.fc45
Development files for yara
https://VirusTotal.github.io/yara/
sudo dnf install yara-develyara-doc 4.5.7-1.fc45
Documentation for yara
https://VirusTotal.github.io/yara/
sudo dnf install yara-docyara 4.5.6-1
Tool aimed at helping malware researchers to identify and classify malware samples
https://github.com/VirusTotal/yara
sudo pacman -S yarasource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.