Question 1

How to set up yarGen dropzone mode for continuous monitoring?

Accepted Answer

Use the --dropzone flag with -m to specify the folder path. yarGen will initialize databases once, then monitor for new files, generate rules automatically, and delete processed samples. Ensure you have sufficient RAM and backup important files as deletion is permanent.

Question 2

yarGen vs other YARA generators like Loki or YARA-Signator?

Accepted Answer

yarGen focuses on goodware filtering to reduce false positives, while Loki is a broader detection scanner and YARA-Signator may not have the same database support. yarGen is better for rule creation from malware samples, but requires more resources and post-processing compared to some alternatives.

Question 3

Can yarGen handle non-PE files like PDFs or scripts?

Accepted Answer

yarGen is optimized for PE files, especially with opcode extraction from .text sections. It can scan other files for strings, but features like opcodes and PE-specific extras (imphash) are limited to executable formats, reducing effectiveness for non-PE malware.

Question 4

What are the minimum system requirements for yarGen?

Accepted Answer

yarGen needs at least 4GB of RAM (8GB recommended for opcodes), Python 3 with dependencies installed, and about 1GB of disk space for databases. The initial database download is 913 MB, so a stable internet connection is required for setup.

Question 5

How to create a custom goodware database for my environment?

Accepted Answer

Use the -c flag with -i for an identifier and -g to specify the path to goodware files. For example, 'python yarGen.py -c --opcodes -i office -g /path/to/office' creates databases tailored to Office software, which are then used in rule generation.

Question 6

Is yarGen still supported or should I use yarGen-Go?

Accepted Answer

yarGen is marked as not maintained, with the developer recommending yarGen-Go for new projects. yarGen-Go is written in Go, potentially offering better performance and maintenance, so consider migrating if starting fresh or needing updates.

Question 7

How to reduce false positives in yarGen-generated rules?

Accepted Answer

Use the --score flag to see string scores, set a higher minimum score with -z, and manually review and remove low-scoring strings. Additionally, create custom databases with relevant goodware and use the --excludegood flag to force exclusion of all goodware strings.

Yara rules generator

What is Yara rules generator?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions