# Install yara with Homebrew, apk, chocolatey, apt, dnf, MacPorts, Nix, pacman, scoop, winget, zypper

Malware identification and classification tool. Version 4.5.5 via Homebrew; verified 2026-06-15.

## Install

```sh
sudo av install brew:yara
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install yara
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install yara
```

  Evidence: MacPorts ports tree: security/yara/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- apk (92%):

```sh
sudo apk add yara
```

  Evidence: Alpine Linux edge package indexes: yara from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz

- Debian apt (92%):

```sh
sudo apt install libyara-dev
```

  Evidence: Debian stable package indexes: libyara-dev from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install yara
```

  Evidence: Fedora Rawhide package metadata: yara from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#yara
```

  Evidence: nixpkgs package indexes: pkgs/by-name/ya/yara/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S yara
```

  Evidence: Arch Linux sync databases: yara from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

- zypper (92%):

```sh
sudo zypper install libyara-devel
```

  Evidence: openSUSE Tumbleweed package metadata: libyara-devel from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

### Windows

- Chocolatey (92%):

```sh
choco install yara
```

  Evidence: Chocolatey community package catalog: yara from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','wiztree'

- Scoop (92%):

```sh
scoop install main/yara
```

  Evidence: Scoop official bucket manifest trees: bucket/yara.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

- winget (92%):

```sh
winget install --id VirusTotal.YARA -e
```

  Evidence: Windows Package Manager source index: VirusTotal.YARA from https://cdn.winget.microsoft.com/cache/source.msix

## Package facts

- **Package key:** brew:yara
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/yara>
- **Version:** 4.5.5
- **Source summary:** Malware identification and classification tool
- **Homepage:** <https://virustotal.github.io/yara/>
- **Repository:** <https://github.com/VirusTotal/yara>
- **Upstream docs:** <https://yara.readthedocs.io/en/stable>
- **License:** BSD-3-Clause
- **Source archive:** <https://github.com/VirusTotal/yara/archive/refs/tags/v4.5.5.tar.gz>
- **Last updated:** 2026-06-15T10:21:24-04:00
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- yara (cli)
- yarac (cli)
- yara (alias)
- yarac (alias)

## Dependencies

- jansson
- libmagic
- openssl@3
- protobuf-c

## Build dependencies

- autoconf
- automake
- libtool
- pkgconf

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 4.5.5
- Package-manager updated: 2026-06-15
- Local data: ok
- Upstream repository: https://github.com/VirusTotal/yara
- Upstream latest detected: v4.5.5 (current)
## Project history and usage

YARA is VirusTotal's rule-based pattern-matching tool for malware researchers and incident responders. It lets analysts describe malware families, file traits, or other detectable artifacts with strings, byte patterns, regular expressions, metadata, and boolean conditions, then scan files, directories, or process memory.

### Project history

YARA's manual page dates the `yara` command to 2008-09-22 and names Victor M. Alvarez as author. The current VirusTotal GitHub repository was created on 2012-12-06, and the first GitHub release returned by the API is YARA v2.0.0 in August 2014.

The project became the pattern-matching 'Swiss knife' for malware researchers by keeping a compact rule language while adding modules, compiled rules, Python bindings, and multi-platform support. The README and official docs describe use from the command line and from Python scripts through yara-python.

In the mid-2020s, YARA's history shifted from active feature growth to maintenance. The README now points to the YARA-X stability announcement and marks the classic YARA project as maintenance mode, with new feature work moving to the Rust rewrite.

### Adoption history

YARA's adoption is unusually broad for a command-line security tool. The upstream README maintains a long 'Who's using YARA' list that includes antivirus vendors, incident-response products, sandboxes, intelligence platforms, reverse-engineering tools, and VirusTotal itself.

Its practical appeal is portability of detection logic. A YARA rule can move from a researcher's laptop to a malware sandbox, a retrohunt service, an endpoint product, or a CI check for detection rules. That made it a common exchange format for malware-family knowledge, not just a local scanner.

### How it is used

Users write one or more rule files, compile them with `yarac` when useful, and run `yara` against files, directories, or PIDs. Options support namespaces, external variables, module data, metadata printing, string-match output, fast scans, warnings control, and scanning process memory in chunks.

In security operations, YARA is used for malware triage, hunting known families and variants, validating rule collections, retroactive corpus searches, sandbox classification, and embedding detection logic into larger analysis systems through libyara or yara-python.

### Why package nerds care

YARA is one of the canonical examples of a domain-specific language packaged as a Unix tool. The package matters because it ships not just an executable, but a rule language, compiler, C library, Python ecosystem, and compatibility target for thousands of shared security rules.

The YARA-to-YARA-X transition is also important packaging history: a widely deployed security utility entered maintenance mode while its official successor was distributed beside it, letting package managers carry both the stable incumbent and the future implementation.

### Timeline

- 2008-09-22: YARA manual page date identifies the command and Victor M. Alvarez as author.
- 2012-12-06: VirusTotal/yara repository is created on GitHub.
- 2014-08-26: YARA v2.0.0 appears as the earliest GitHub release returned by the releases API.
- 2024-02-21: VirusTotal announces future feature work will focus on YARA-X while YARA continues maintenance.
- 2025-06-04: YARA-X 1.0.0 announcement states original YARA enters maintenance mode.
- 2025-10-30: YARA v4.5.5 is published as a maintenance release.

### Related projects

- YARA-X is the official Rust rewrite and future development focus.
- yara-python exposes YARA scanning and compilation features to Python programs.
- YARA-CI, awesome-yara, and rule repositories such as Elastic protections-artifacts are part of the wider YARA rule ecosystem.

### Sources

- <https://api.github.com/repos/VirusTotal/yara>
- <https://api.github.com/repos/VirusTotal/yara/releases?per_page=100>
- <https://github.com/VirusTotal/yara>
- <https://raw.githubusercontent.com/VirusTotal/yara/master/README.md>
- <https://raw.githubusercontent.com/VirusTotal/yara/master/yara.man>
- <https://virustotal.github.io/yara-x/blog/yara-is-dead-long-live-yara-x/>
- <https://virustotal.github.io/yara-x/blog/yara-x-is-stable/>
- <https://yara.readthedocs.io/en/stable/>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** yara
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Debian apt - libyara-dev - 4.5.2-1: normalized package name match | Debian stable package indexes: libyara-dev from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | YARA development libraries and headers | https://virustotal.github.io/yara/
- Debian apt - libyara10 - 4.5.2-1: normalized package name match | Debian stable package indexes: libyara10 from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | YARA shared library | https://virustotal.github.io/yara/
- Debian apt - yara - 4.5.2-1: normalized package name match | Debian stable package indexes: yara from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Pattern matching swiss knife for malware researchers | https://virustotal.github.io/yara/
- Debian apt - yara-doc - 4.5.2-1: normalized package name match | Debian stable package indexes: yara-doc from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | HTML documentation for YARA | https://virustotal.github.io/yara/
- Nix - yara: normalized package name match | nixpkgs package indexes: pkgs/by-name/ya/yara/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- Ubuntu apt - libyara-dev - 4.5.0-1build2: normalized package name match | Ubuntu 24.04 LTS package indexes: libyara-dev from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | YARA development libraries and headers | https://virustotal.github.io/yara/
- Ubuntu apt - libyara10 - 4.5.0-1build2: normalized package name match | Ubuntu 24.04 LTS package indexes: libyara10 from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | YARA shared library | https://virustotal.github.io/yara/
- Ubuntu apt - yara - 4.5.0-1build2: normalized package name match | Ubuntu 24.04 LTS package indexes: yara from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | Pattern matching swiss knife for malware researchers | https://virustotal.github.io/yara/
- Ubuntu apt - yara-doc - 4.5.0-1build2: normalized package name match | Ubuntu 24.04 LTS package indexes: yara-doc from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | HTML documentation for YARA | https://virustotal.github.io/yara/
- apk - yara - 4.5.7-r0: normalized package name match | Alpine Linux edge package indexes: yara from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Pattern matching swiss knife for malware researchers | https://virustotal.github.io/yara/
- apk - yara-dev - 4.5.7-r0: normalized package name match | Alpine Linux edge package indexes: yara-dev from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Pattern matching swiss knife for malware researchers (development files) | https://virustotal.github.io/yara/
- apk - yara-doc - 4.5.7-r0: normalized package name match | Alpine Linux edge package indexes: yara-doc from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Pattern matching swiss knife for malware researchers (documentation) | https://virustotal.github.io/yara/
- dnf - yara - 4.5.7-1.fc45: normalized package name match | Fedora Rawhide package metadata: yara from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Pattern matching Swiss knife for malware researchers | https://VirusTotal.github.io/yara/
- dnf - yara-devel - 4.5.7-1.fc45: normalized package name match | Fedora Rawhide package metadata: yara-devel from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Development files for yara | https://VirusTotal.github.io/yara/
- dnf - yara-doc - 4.5.7-1.fc45: normalized package name match | Fedora Rawhide package metadata: yara-doc from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Documentation for yara | https://VirusTotal.github.io/yara/
- pacman - yara - 4.5.6-1: normalized package name match | Arch Linux sync databases: yara from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | Tool aimed at helping malware researchers to identify and classify malware samples | https://github.com/VirusTotal/yara


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [openssl@3](https://www.automicvault.com/pkg/brew/openssl-3/) - Runtime dependency declared by Homebrew.
- [protobuf-c](https://www.automicvault.com/pkg/brew/protobuf-c/) - Runtime dependency declared by Homebrew.
- [autoconf](https://www.automicvault.com/pkg/brew/autoconf/) - Build dependency declared by Homebrew.
- [automake](https://www.automicvault.com/pkg/brew/automake/) - Build dependency declared by Homebrew.
- [libtool](https://www.automicvault.com/pkg/brew/libtool/) - Build dependency declared by Homebrew.
- [pkgconf](https://www.automicvault.com/pkg/brew/pkgconf/) - Build dependency declared by Homebrew.
- [clamav](https://www.automicvault.com/pkg/brew/clamav/) - Popular package that depends on this formula.
- [yara-x](https://www.automicvault.com/pkg/brew/yara-x/) - Shares av.db curated category or tags: cli, malware, malware-analysis, pattern-matching, rules.
- [virustotal-cli](https://www.automicvault.com/pkg/brew/virustotal-cli/) - Shares av.db curated category or tags: cli, malware-analysis, security.
- [malcontent](https://www.automicvault.com/pkg/brew/malcontent/) - Shares av.db curated category or tags: cli, malware-analysis, security.
- [pulledpork](https://www.automicvault.com/pkg/brew/pulledpork/) - Shares av.db curated category or tags: cli, rules, security.
- [aide](https://www.automicvault.com/pkg/brew/aide/) - Shares av.db curated category or tags: cli, security.
- [aircrack-ng](https://www.automicvault.com/pkg/brew/aircrack-ng/) - Shares av.db curated category or tags: cli, security.
- [amass](https://www.automicvault.com/pkg/brew/amass/) - Shares av.db curated category or tags: cli, security.
- [anubis](https://www.automicvault.com/pkg/brew/anubis/) - Shares av.db curated category or tags: cli, security.

## Combined YAML source

View the package source record on GitHub. [combined/yara.yml](https://github.com/automic-vault/db/blob/main/combined/yara.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
