Skip to main content
Panguard Guard uses YARA rules for file-based threat detection. YARA is the industry standard for identifying and classifying malware based on binary and textual patterns within files.

What Are YARA Rules?

YARA rules describe patterns that identify malware families, suspicious tools, and unwanted software. Unlike Sigma rules (which match log events), YARA rules match file content — scanning executables, scripts, documents, and other files for known malicious patterns.

Bundled Rules

Panguard Guard ships with 900+ YARA rules covering:
  • Common malware families and variants
  • Web shells and backdoors
  • Hacking tools and exploit kits
  • Cryptominers and ransomware
  • Suspicious file characteristics (packers, obfuscation)
  • Malicious document macros
Rules are sourced from reputable open-source collections and updated via Threat Cloud.

Rule Format

YARA rules use a C-like syntax with three main sections: 
rule Detect_WebShell_Generic : webshell
{
    meta:
        author = "Panguard AI"
        description = "Detects common PHP web shell patterns"
        severity = "critical"
        date = "2026-03-01"
        reference = "https://panguard.ai/rules/yara-ws-001"
        mitre_attack = "T1505.003"

    strings:
        $eval1 = "eval($_POST" ascii
        $eval2 = "eval($_GET" ascii
        $eval3 = "eval($_REQUEST" ascii
        $system1 = "system($_" ascii
        $passthru = "passthru(" ascii
        $shell_exec = "shell_exec(" ascii
        $base64 = "base64_decode(" ascii
        $gzinflate = "gzinflate(" ascii

    condition:
        filesize < 500KB and
        (
            any of ($eval*) or
            (any of ($system1, $passthru, $shell_exec) and any of ($base64, $gzinflate))
        )
}

Rule Sections

SectionDescription
metaMetadata about the rule (author, description, severity, references)
stringsPatterns to search for (text, hex, regex)
conditionBoolean logic determining when the rule matches

Custom Rules

Add custom YARA rules by placing .yar or .yara files in the custom rules directory: 
{dataDir}/yara-rules/custom/*.yar
Where {dataDir} defaults to ~/.panguard-guard. 
mkdir -p ~/.panguard-guard/yara-rules/custom
Custom YARA rules are loaded on the next scan cycle. For immediate testing, run panguard scan --yara-only to trigger a targeted scan with your new rules.

Engine Architecture

Panguard Guard includes two YARA evaluation engines:

Native Engine (Primary)

The native engine uses compiled YARA binaries for maximum performance. It is used when the YARA library is available on the system.
FeatureDetail
PerformanceUp to 100x faster than regex fallback
CompatibilitySupports all YARA features including modules
RequirementsYARA library installed (libyara)
InstallationBundled with Panguard Guard on supported platforms

Regex Fallback (Secondary)

When the native YARA library is not available, Panguard falls back to a JavaScript-based regex engine that provides basic pattern matching.
FeatureDetail
PerformanceAdequate for small file sets
CompatibilitySupports string matching and basic conditions
LimitationsNo YARA modules, limited hex pattern support
RequirementsNone (built into Panguard)
The native engine is strongly recommended for production deployments. Panguard will log a warning at startup if it falls back to the regex engine. Install YARA with your package manager: brew install yara (macOS), apt install yara (Debian/Ubuntu), or yum install yara (CentOS/RHEL).

String Types

YARA supports three types of string patterns:

Text Strings

strings:
    $text1 = "malware_payload" ascii
    $text2 = "malware_payload" wide        // UTF-16
    $text3 = "malware_payload" nocase      // case-insensitive
    $text4 = "malware_payload" ascii wide  // both encodings

Hex Strings

strings:
    $hex1 = { 4D 5A 90 00 }                    // exact bytes
    $hex2 = { 4D 5A ?? 00 }                    // wildcard byte
    $hex3 = { 4D 5A [2-4] 00 }                // byte range jump
    $hex4 = { 4D 5A ( 90 00 | 89 00 ) 03 }    // alternatives

Regular Expressions

strings:
    $re1 = /https?:\/\/[a-z0-9\-\.]+\.evil\.com/
    $re2 = /[A-Za-z0-9+\/]{50,}={0,2}/ // base64 blob

Condition Operators

OperatorExampleDescription
and, or, not$a and $bBoolean logic
any ofany of ($shell*)Any string in the set matches
all ofall of themAll defined strings match
X of2 of ($a, $b, $c)At least X strings match
filesizefilesize < 1MBFile size constraint
at$a at 0String at specific offset
in$a in (0..1024)String within byte range

Performance Considerations

MetricTypical Value
Rule loading time< 1 second for 900 rules
Per-file scan time< 50 ms for files under 10 MB
Memory overhead~30 MB for compiled rule set
Custom rule limitNo hard limit (recommend < 200)
YARA scans are CPU-intensive for large files. Panguard automatically skips files larger than 50 MB by default. Adjust this with panguard config set rules.yaraMaxFileSize "100MB".

Scan Targets

By default, YARA rules are evaluated against:
TargetDescription
New files in monitored directories/tmp, /var/tmp, /dev/shm, user home directories
Downloaded filesFiles created by curl, wget, browsers
Modified executablesAny executable file that changes
Quarantine reviewFiles flagged by other detection layers
Configure monitored directories in config.json under the monitoring.fileIntegrity settings.