UnpacMe YARA Hunting enables YARA search across our malware and goodware corpora. If you are new to YARA we recommend starting with the official YARA documentation.

UnpacMe offer two YARA hunting services, Lightning Hunt for fast scans of current samples, and Total Recall for full corpus scanning.

YARA Lightning Hunt

Lightning hunts provide a time boxed search of samples in reverse chronological order. The time box is determined by the Lookback Window provisioned to your account. Most lightning hunts will complete within a minute or two.

When a hunt is initiated a set amount of processor time is assigned to the search such that an efficient YARA rule should be able to scan the entire Lookback Window. Inefficient rules may cause incomplete scan coverage.

Lighting hunts are the perfect tool for quickly identifying current malware and testing new YARA rules.

Supported YARA Versions

The UnpacMe YARA engine usually supports the latest stable YARA version, with specific YARA version information returned with the rule validation results. Detailed documentation for the features supported can be found in the latest YARA documentation. However there are some additional limitations and enhancements.

Limitations

  • Only one YARA rule is permitted per hunt. Multiple rules bundled in a single scan will be rejected during validation.
  • Rules cannot use include statements. Searches only have access to the submitted rule.
  • Only the following YARA modules are supported; pe, math, magic, hash, and dotnet.
  • By default the files included in the hunt are capped at a maximum size of 16 megabytes though this can be adjusted with the File Size Limits option.
  • In addition to the rule itself YARA hunts can be tuned using Custom Scan Options that will influence the YARA scan engine.

YARA Total Recall (Available Soon)

Total Recall can be used to schedule a YARA search of the entire UnpacMe malware corpus consisting of over five years of malware data.

A notification is sent when the Total Recall job has completed and the results can be retrieved. Total Recall searches can take many hours to complete.