search

VirusTotal / yara-python

The Python interface for YARA
http://virustotal.github.io/yara/
Apache License 2.0
637 stars 178 forks source link

Yara not scanning all file content #240

Closed neslihaneciogluu closed 7 months ago

neslihaneciogluu commented 11 months ago

Hi,

During the file scanning, I do not want to examine after a certain size. For example, for a 100 mb file, I want to scan the first 200 kb and get its match result, Not scanning after 200kb. How can i achieve this with yara rule or python script. I want to give full file to Yara and Yara not read full text as I explained the above. It is important for speed.

Thank you for response. Sincerely.

ruppde commented 10 months ago

hi,

maybe use https://github.com/Neo23x0/Loki or https://www.nextron-systems.com/thor-lite/ because by default they don't scan the file types, which are usually the huge ones, unless you use --intense.

and if you really want to scan the first 200kb of 100mb (don't know how useful that would be), you could add your own parameter in loki.

regards arnim

plusvic commented 7 months ago

The only way to do that currently is that your Python program reads the first 200kb from the file and pass the data to yara-python for scanning. There's no way to pass the file path or the whole data and ask YARA to scan only the first 200kb.