All YARA rules are internally validated prior to launching a scan. Rules that fail validation will terminate the scan, though the scan will still count against your YARA search quota.

However, the Rule Editor also provides a manual valuation option which uses the same internal validation tests. Manual validation does not count against your quota, and is strongly recommended prior to launching a scan. Simply press the Validate button at any time to check your YARA rule.

Validation Tests

During validation the rule validation a series of tests are performed on the rule to determine both the syntactical correctness of the rule as well as any performance inefficiencies.

The current YARA engine version is also returned along with the test results for transparency.

Compile Test

The rule is compiled to ensure that it is syntactically correct. If a rule fails this test it will terminate the scan.

Simple Scan

The rule is run against a set of test binaries to ensure that it does not raise any errors at runtime. If a rule fails this test it will terminate the scan.

Large File Scan

The rule is run against a set of large test binaries and performance measured. If the performance is below average a warning is raised. If a rule fails this test a scan is permitted though a warning is raised.

Compile Warnings

Any warning raised at compile time are returned to the user. This test does not block scan submissions.

Wildcards in Hex String

The rule is checked for inefficient use of wildcards in hex strings. For example, hex strings that start with wildcards. If a rule fails this test a scan is permitted though a warning is raised.

Short Byte Sequences

The rule is checked for byte sequences in hex strings that are shorter than three bytes. For example, two bytes bordered by wild cards. Short byte sequences are extremely inefficient and may cause a rule to perform poorly. If a rule fails this test a scan is permitted though a warning is raised.

Validation Errors

When a validation test fails or raises a warning a detailed message is returned for the specific test. In addition to the message a clickable Failed link is placed next to the message which will link to the specific line in the Rule Editor that led to the failure or warning.

Clicking the link will display an error box next to the offending line in the Rule Editor with the error or warning message.