Sauron is a minimalistic, YARA based malware scanner with realtime filesystem monitoring written in Rust.
- Realtime scan of created and modified files supporting Linux
inotify, macOSFSEvents, WindowsReadDirectoryChangesand polling for other platforms. - YARA engine complete support.
- Single scan mode to scan a folder, report results and exit.
- Parallel scanning using a configurable thread pool.
- Log, text and JSON reporting.
Due to the filesystem monitoring mechanism, Sauron is extremely lightweight and non invasive as more sophisticated AV solutions, however this comes with the following limitations:
- Scanning files with an exclusive lock by other processes will likely fail with a
Permission Deniederror. - Malicious files creation and execution won't be blocked but just reported.
- Fileless malware won't be detected.
- Detected files won't be linked to originating processes.
cargo build --releaseYour system must have libssl-dev installed. For Ubuntu-derivatives this can be installed via sudo apt install libssl-dev.
Assuming you have your YARA rules in ./yara-rules (you can find plenty of free rules online):
sudo ./target/release/sauron --rules ./yara-rules
Alternatively you can perform a one-time recursive scan of the specified folder using the --scan argument:
sudo ./target/release/sauron --rules ./yara-rules --scan --root /path/to/scanYou can specify which file extensions to scan (all by default) with the --ext argument:
sudo ./target/release/sauron \
--rules ./yara-rules \
--scan \
--root /path/to/scan \
--ext exe \
--ext elf \
--ext doc \
--ext docxVarious options are available for reporting:
--report-cleanwill also report clean files.--report-errorsexplicitly report errors (reported as debug logs by default).--report-output <FILENAME>will write scan reports to a file.--report-jsonif--report-outputis passed, write as JSON instead of text.
Run sauron --help for the complete list of options.
This project is made with ♥ by @evilsocket and it is released under the GPL3 license.
