The lookback window defines the maximum amount of historical data that can be included in a YARA search, and scan coverage refers how much of the lookback window was actually scanned by the search. Efficient YARA rules will produce better coverage while inefficient rules will reduce coverage.
The lookback window default is 12-weeks, providing a view of the past 12 weeks of data with more lookback available depending on your plan.
Lookback Window
The lookback window is divided into weeks and is displayed in reverse chronological order. Searches sample from all weeks in parallel though the search is biased towards recent weeks resulting in better coverage of newer samples.
A bar chart of coverage for each sample repository is mapped onto the lookback window in transparent layers resulting in a simple visualization that can be used to interpret coverage; darker weeks have better coverage.
Hovering over a week will display the percent coverage for each repository.
Scan Coverage
The scan coverage window also displays a total percent coverage based on the combination of all selected sample repositories. The window can also be expanded to display the breakdown per repository.
It is important to note that a low scan coverage is not necessarily negative. Though plan upgrades will provide a larger lookback window and inherently better coverage, often only a few weeks of data is needed to test a YARA rule or hunt for new samples.
If an exhaustive search is required of every sample in our corpus then a Total Recall scan is a better alternative.