YARA Rules

The Sandbox engine contains a set of YARA rules in the /home/sandbox/sandbox/transform/yara/rules folder.

If Sandbox is connected to the Internet, these YARA rules are periodically updated from a GitHub repository maintained by OPSWAT Malware Analysts. After an update, the engine recompiles the master_file.yarc file that contains all rules in a compiled form. This is crucial for efficient YARA matching.

It is also possible to add custom YARA rules as .yar files in the /home/sandbox/sandbox/transform/yara/rules/custom folder, but it is necessary to modify the YARA update configuration to always generate master_file.yarc on Sandbox startup:

Step #1 - Open /home/sandbox/sandbox/transform.cfg in a text editor

Step #2 - Modify the configuration by adding the following property:

transform.cfg
Copy

Step #3 - Save the file and restart the sandbox service

Property details

Property NameDefault ValueDescription
runYaraUpdateOnStartupfalseMain switch to enable / disable YARA updates on Sandbox startup

Adding custom YARA rules

After this change, custom .yar files can be copied to the /home/sandbox/sandbox/transform/yara/rules/custom folder, and these YARA rules will be automatically loaded by the Sandbox engine.

After adding or modifying a custom rule, please always restart the sandbox service!

All custom changes made in the /home/sandbox/sandbox/transform/yara/rules folder will be lost during a Sandbox installation!

If you add any custom YARA rules here, please remember to save them and restore them after upgrading Sandbox!
VariableType to search · ESC to discard
GlossaryType to search · ESC to discard
InsertType to search · ESC to discard
No matches
Next to read:
CEF Syslog Feedback

See the "Technical Datasheet" for a complete list of features: https://docs.opswat.com/filescan/datasheet/technical-datasheet

On This Page
YARA RulesProperty detailsAdding custom YARA rules