in unix system
anyone who has switch to CLion?
X64
any changes?
try with the latest version and let me know if it works fine for you
Hi guys. I'm watching to yara executable and see --fast-scan flag. I watched sources and found SCAN_FLAGS_FAST_MODE flag. As I see - this flag is just a performance improvement - yara wont create linked_list where no need to store all offsets. I mean - as I see there is obvious performance improvement with fully saved semantic. So why this flag isnt turned on by default? If I turn on this flag in my project where I'm using yara library - will I get some detects disappeared or any another disadvantages?
@HostageBrain the flag is not turned on by default because it prevents you from getting information about the offsets within the file where the strings where found. That information was offered since the first version, and the flag was added later on, so it's disabled by default for backward compatibility.
@mfhorka do you mean where in the code? https://github.com/VirusTotal/yara/blob/master/libyara/include/yara/arena.h#L50
:fire:
Hi @caili1981 , no that I know. At some point I've thought about implementing a stream scanning API in YARA, but because of the way YARA works it's not trivial. YARA was designed with blocks of data in mind, that's noticeable when you try to adapt it to scan a stream, at the end the only possible solution is viewing the stream as a sequence of overlapping blocks.
@plusvic , thanks a lot for quick response. As far as I know that we can not find the virus-characters that is cross stream boundary by the existing YARA code. Do you mean by 1. Saving all the streams in memory. 2. And then using BLOCK and ITERATORs, and then modify the 'scan_mem_block' related algorithm to get the stream/fragment scanned?
Also, does anyone have a problem running dotnet modules with yara-python (v3.8.1 and 3.9.0)? I get errors for invalid field names (tried with number_of_guids and typelib). Used 3.8.1 install from pip3 and compiled from source for v3.9.
Rule works when running yara, just not yara-python. Saw the issues someone had with imphash, but rebuilding it still didn't seem to work... VirusTotal/yara-python#97
Ok, got it. Needed to use the flag --enable-dotnet when building from python source. Didn't see those options until looking at setup.py. https://github.com/VirusTotal/yara-python/blob/master/setup.py
Hi, why are bison/flex generated .c files in the repository? They get regenerated during build, which makes the git repository dirty. And you can't build yara without flex & bison installed anyway.
EDIT: ups, I remembered it wrong, configure actually passes without flex/bison, but if Make decides it needs to regenerate the files, the build will fail. And it decides to do so pretty arbitrarily.
@plusvic well, make decides to rebuild the generated files based on timestamps, which are set according to in which order Git checks out the files, so you get randomly regenerated .c files for no reason. Perhaps the generation step should be completely separate and only executed on demand?
Trying to learn how to use Yara to identify random malware samples from a honeypot.
