YARA Hunt

UnpacMe YARA Hunting enables YARA search across our malware and goodware corpora. If you are new to YARA we recommend starting with the official YARA documentation. UnpacMe offer two YARA hunting services, Lightning Hunt for fast scans of current samples, and Total Recall for full corpus scanning. YARA Lightning Hunt

When launching a YARA Lightning Hunt up to four different sample repositories can be selected to scan; Submissions, Labeled Artifacts, Unlabeled Artifacts, and Goodware. Depending on the purpose of the YARA hunt some repositories may be preferable over others. By default all repositories are included in the hunt except for

UnpacMe provides a full YARA rule management system complete with a rule editor, validator, and private rule repository. In general UnpacMe supports the current stable YARA version though with some additional limitations. Detailed documentation for the features supported can be found in the latest YARA documentation. Limitations * Only one YARA

All YARA rules are internally validated prior to launching a scan. Rules that fail validation will terminate the scan, though the scan will still count against your YARA search quota. However, the Rule Editor also provides a manual valuation option which uses the same internal validation tests. Manual validation does

In addition to the rule itself YARA searches can be tuned using custom options that will influence the YARA scan engine. Scan Assist Scan assist can help get the most coverage out of your YARA rule even if the rule is inefficient. When scan assist is enabled the YARA engine

The YARA results overview header provides high level information about the hunt including the name of the YARA rule, the number of matches in each sample repository, and the hunt status. Rule Details The rule details windows provide information about the YARA rule, revision, and the scan options. The 🔄 button

The lookback window defines the maximum amount of historical data that can be included in a YARA search, and scan coverage refers how much of the lookback window was actually scanned by the search. Efficient YARA rules will produce better coverage while inefficient rules will reduce coverage. The lookback window

When the goodware repository is selected during a YARA scan matches in the goodware corpus will be displayed in the goodware window. The goodware window can be expanded to reveal a scrollable list of all matches. Each match includes details about the file including the file's SHA256 hash,

Match insights provides a quick overview of the results returned by the YARA search. Insights can be used to identify trends in the results as well as filter the matches table. 1. Tags The tags distribution graph displays a list of tags assigned to the YARA matches and their frequency

YARA matches can be refined by applying filters. Filters are available for tags and YARA labels associated with the results. To apply a filter simply click the tag, or yara label and select the desired filter action. When multiple filters are selected an implicate AND is used to combine them

YARA matches are displayed in the matches table. The matches table includes information about each match and can be sorted and filtered based on various characteristics of the matches. The default matches table view will display ten matches per page and is sorted in reverse chronological order based on the

The YARA Hunt History page displays a list of past hunts with an overview of the hunt results. Hunt history is only retained for 30 days after which the hunt results will be purged. The rule name for each hunt can be clicked to open the Results page for the