In addition to the rule itself YARA searches can be tuned using custom options that will influence the YARA scan engine.

Scan Assist

Scan assist can help get the most coverage out of your YARA rule even if the rule is inefficient. When scan assist is enabled the YARA engine will dynamically tailor the scan parameters based on realtime feedback during the scan.

To illustrate, consider the following simplified example. During a scan the engine observes that the only file matches are EXE files. The engine might dynamically filter out all non-EXE files for the remainder of the scan. This will enable to scan to cover more files during the time box.

It is recommended to use scan assist when hunting with YARA as it will enable deeper scanning. However, since the scan assist results may be a subset of all possible results we recommend disabling scan assist when testing YARA rules for false positives (for example, against the goodware corpus).

Fast Scan

Fast scan will enable the fast matching mode in the YARA engine. A feature that allows the engine to stop scanning a file after the first match for a given rule. This can significantly speed up the scanning process when you only need to know if a particular rule matches, and you don't care about how many times the rule matches.

Store Offsets

The Store Offsets setting will return all string matches and their offset for each matched sample. This option can significantly slow down scanning and reduce scan coverage.

When enabled the offsets will be displayed as an expandable list for each match in the matches table.

File Size Limits

File size limits can be specified outside of the YARA rule. When enabled these will pre-filter samples based in size prior to staging them for scanning but they will not override any file size settings in the rule itself.

By default the all scans have a maximum file size of 16 megabytes however this can be increased by enabling the File Size Limits and increasing the maximum file size.

YARA-X

Scan and validate rules using the YARA-X fork of YARA.

YARA-X is not fully compatibility with YARA and we recommend selecting the engine that was your rules are designed to run on. Full documentation on the differences between the engines can be found in the YARA-X docs, Differences with YARA.