VirusTotal/yara

• Scanner API
• New “xor” modifier for strings
• New fields and functions in PE module.
• Add functions “min” and “max” to math module.
• Make compiled.
• yara and yaracsupport reading rules from stdin by using - as the file name.
• Rule compilation is faster.
• BUGFIX: Regression in regex engine. /ba{3}b/ was matching “baaaab”.
• BUGFIX: Function yr_compiler_add_fd() was reading only the first 1024 bytes of the file.
• BUGFIX: Wrong calculation of sha256 hashes in Windows when using native crypto API.
• Lots of more bug fixes.

Refer to the documentation for information on how to build and install YARA.

Windows binaries can be found here.

• Fix regression in include directive (issue #796)
• Fix bug in PE checksum calculation causing wrong results in some cases.

• time module (Wesley Shields)
• yara command-line tool now accept multiple rule files
• Allow a configurable limit for the number of strings per rule (option --max-strings-per-rule)
• Implement integrity check for compiled rules
• Implement API for customizingimport statement (@edhoedt)
• Scan process memory in FreeBSD and OpenBDS (Hilko Bengen)
• BUGFIX: Negated character classes not working with case-insensitive regexps (#765)
• BUGFIX: Multiple bugs while parsing ELF files (Nate Rosenblum)
• BUGFIX: Out-of-bounds access while parsing PE files.
• BUGFIX: Memory leaks while parsing invalid rules.

Refer to the documentation for information on how to build and install YARA.

Windows binaries can be found here.

BUGFIX: Heap overflow (4a342f0)
BUGFIX: Off-by-one NULL write in stack buffer (964d6c0)
BUGFIX: Multiple issues in "dotnet" module (f40c14c, fc35e5f)

Refer to the documentation for information on how to build and install YARA.

Windows binaries can be found here.

• Increase RE_MAX_AST_LEVELS from 2000 to 6000.
• BUGFIX: Buffer overrun in regexp engine (issue #678)
• BUGFIX: Null pointer dereference in regexp engine (issue #682).

Refer to the documentation for information on how to build and install YARA.

Windows binaries can be found here.

• BUGFIX: Stack overflow caused by uncontrolled recursiveness (CVE-2017-9304)
• BUGFIX: pe.overlay.size was undefined if the PE didn't have an overlay. Now it's set to 0 in those cases.
• BUGFIX: Fix initalization issue that could cause a crash if rules compiled with a 32bit yarac is used with a 64bit yara.

Refer to the documentation for information on how to build and install YARA.

Windows binaries can be found here.

• .NET module (Wesley Shields)
• New features for ELF module (Jacob Baines)
• Fix endianness issues (Hilko Bengen)
• Function yr_compiler_add_fd added to libyara
• MAX_THREADS limit can be arbitrarily increased (Emerson R. Wiley)
• Added --fail-on-warnings command-line option
• Multiple bug fixes

Refer to the documentation for information on how to build and install YARA.

Windows binaries can be found here.

• Match length operator (http://yara.readthedocs.io/en/v3.5.0/writingrules.html#match-length)
• Performance improvements
• Less memory consumption while scanning processes
• Exception handling when scanning memory blocks
• Negative integers in meta fields
• Added the --stack-size command-argument
• Functions import_ordinal, is_dll, is_32bit and is_64bit added to PE module
• Functions rich_signature.toolid and rich_signature.version added to PE module
• Lots of bug fixes

Refer to the documentation for information on how to build and install YARA.

Windows binaries can be found here.

• Short-circuit evaluation for conditions
• New yr_rules_save_stream/yr_rules_load_stream APIs.
• load() and save() methods in yara-python accept file-like objects
• Improvements to the PE and ELF modules
• Some performance improvements
• New command-line option --print-module-data
• Multiple bug fixes.

Refer to the documentation for information on how to build and install YARA.

Windows binaries can be found here.