Some of the analysis I've done over the past few years is referenced in various places in this overview. I might be most happy that my sneaky reference to the time a half-dozen of us ate a Vermonster in a single attempt made it into the report. cloud.google.com/blog/topics/...
11.02.2026 19:14 β π 2 π 0 π¬ 0 π 0Haha! My son and I were just saying how this has been an insanely boring first half.
09.02.2026 01:40 β π 1 π 0 π¬ 0 π 0
github.com/VirusTotal/y... - Once again, new release with some good bug fixes and nice improvements.
06.02.2026 21:06 β π 2 π 1 π¬ 0 π 0
YARA-X 1.12.0 is out. Some small bug fixes but still worth upgrading! Once again, congrats to Victor and the contributors as the project keeps getting better.
github.com/VirusTotal/y...
github.com/VirusTotal/y... - 1.11.0 is out! Lots of new features, modules and bug fixes. Read the release notes and congrats to Victor and the contributors!
09.01.2026 13:43 β π 7 π 3 π¬ 0 π 0
I like that the rage amount is a constant 11 for a single laptop or a fleet of them.
26.12.2025 20:32 β π 1 π 0 π¬ 0 π 0Yeah, could be done.
24.12.2025 21:07 β π 1 π 0 π¬ 0 π 0To do what? Have the ability to write JS UDF?
24.12.2025 19:37 β π 0 π 0 π¬ 1 π 0
One wheel Jesus was at the Christmas parade again. All praise be to one wheel Jesus and his crew.
13.12.2025 23:52 β π 0 π 0 π¬ 0 π 0
Iβm not judging (I am) but pantscon5 is the ideal situation.
Also, using this scale to describe level of formality for meetings at work (I already use it for non-work) is on my OKRs.
Please describe your requirement for the level of fancy using the pantscon scale: pantscon5.com
10.12.2025 11:23 β π 0 π 0 π¬ 1 π 0
Quality of life improvement for yara-x:
I realized the functions that output hash values do not have constraints on them like the hash module functions do. See virustotal.github.io/yara-x/blog/... for details on why this is useful to extend everywhere.
PR that fixes it: github.com/VirusTotal/y...
Yara-x 1.10.0 released today! It can now automatically fix some warnings, and some improvements in code generation. This is another great step forward for the project.
github.com/VirusTotal/y...
Yeah, same basic idea between us. Mine was the first thing that popped into my head with no actual optimizations to avoid βcountingβ - great minds think alike!
14.11.2025 22:07 β π 1 π 0 π¬ 0 π 0That will "count" printable bytes starting at "offset" and going for at most 100 bytes or until it hits a non-printable. I can easily make it stop at just a 0x00 if you really want.
14.11.2025 21:46 β π 0 π 0 π¬ 1 π 0
Do you want it to output ONLY the length? Is "counting" acceptable? If so:
import "console"
rule a {
condition:
with offset = 0: (
for all i in (0..100): (
with b = uint8(offset + i): (
b >= 0x20 and b <= 0x7e and console.log(i)
)
)
)
}
Don't ask why but you may now refer to me as "Sir Wesley, robot, esq." (thanks @gabagool.ing for that one) and gemini thinks this is what I look like. It may have had some help with the Pikachu hoodie and hot dogs. You're welcome for this visual.
14.11.2025 21:10 β π 2 π 0 π¬ 0 π 0Please do! Would love to know how it works for you!
14.11.2025 21:08 β π 1 π 0 π¬ 0 π 0Finally put this up for review in a PR (github.com/VirusTotal/y...) - it's now in it's own command and has been tested on some pretty gnarly graphs of rules. If you have huge dependency graphs the output gets messy, but it works well otherwise.
14.11.2025 20:37 β π 1 π 1 π¬ 1 π 0
If you're interested in my dependency querying code for yara rules check out my deps branch: github.com/wxsBSD/yara-...
You can build it with "cargo build --features=debug-cmd" and use it like "yr debug deps -h". My TODO list for this is basically:
- Write tests
- Move to it's own command
@pdub5.bsky.social does great work! If youβre going to be at the conference go see his talk and maybe heckle him for me.
05.11.2025 22:01 β π 9 π 1 π¬ 0 π 0Once I get this landed upstream I'd like to expose this in the python bindings as it's the easiest language for people to walk an AST and find the things they are interested in, but that may take a bit. For now, I think just having an option to see output in JSON or graphviz is fine.
04.11.2025 03:12 β π 2 π 0 π¬ 0 π 0Second, it also lets you have a system that will include only the necessary import statements for those exported rules. Duplicate import statements are only a warning in yara-x (and just silently ignored in C yara) but it's still nice to use what you import rather than just importing everything.
04.11.2025 03:12 β π 0 π 0 π¬ 1 π 0First it lets you find dependencies in large rule sets. Imagine you have 10k rules and you want to share one specific one but it depends upon another rule, so you have to include that other rule in your export. This lets you identify only the minimum necessary rules easily.
04.11.2025 03:12 β π 0 π 0 π¬ 1 π 0
As you can see, it correctly knows when to ignore things that might look like a module usage (pe identifier) when it is used in a with declaration or a for variable.
Why is this useful you might ask? Well, it lets you do two things...
wxs@mbp yara-x % cat rules/test.yara
rule a { condition: with pe = 1 + 1: (pe == time.now()) }
rule b { condition: a }
wxs@mbp yara-x % ./target/debug/yr debug deps rules/test.yara
Deps: {"a": [], "b": ["a"]}
Modules: {"a": ["time"]}
wxs@mbp yara-x %
I've got something built on Victor's new DFSIter for yara-x AST that takes a set of rules and outputs the dependencies and modules used (based upon the compiled list of modules). Ultimately I want to make it output a graphviz file for visualization but for now it's dumping them to stdout...
04.11.2025 03:12 β π 2 π 1 π¬ 1 π 0
yara-x 1.9.0 is out! The DFSIterator for AST traversal is what I was finishing up this week (and now I donβt have to, yay), and is definitely really interesting if you are into that sort of thing. Iβll finish my work onto top of this new implementation.
github.com/VirusTotal/y...
github.com/VirusTotal/y... - I have an implementation done, at least enough to put up next week. ;)
02.11.2025 22:11 β π 2 π 0 π¬ 0 π 0
