YARA Hunting

Classifying files with YARA rules

YARA is a tool that allows rule-based identification of files. Files trigger a match when they contain a string or binary pattern defined by the YARA rule.

In the context of Spectra Analyze and Spectra Detect, YARA matching is implemented as part of the Spectra Core static analysis engine. That means that string or binary pattern matching is supported only for files, and not for running process memory.

To classify files using the SpectraCore engine, use YARA tags and custom metadata.

rule ExampleRule : tc_detection malicious // Tags must be present
{
    meta:
        tc_detection_type = "Ransomware" // Has to be a valid RL malware type
        tc_detection_name = "Oof" // Can be an arbitrary malware family name
        tc_detection_factor = 5 // 0-5, where 5 is most dangerous
    strings:
        $1 = "example"
        $2 = { DE AD BE EF }
    condition:
        $1 or $2
}

To classify files as malicious using YARA tags, add the tc_detection and malicious tags as indicated in the code sample above. Likewise, to classify them as suspicious, use the suspicious tag. All files that match the rule will receive the classification corresponding to the tag.

In the meta section, there are several TC-specific keywords that you can include to get a specific malware type or risk score in the final report:

• tc_detection_type
  • Specifies the type of a matched sample. This must be one of the following strings:
    • Adware
    • Backdoor
    • Browser
    • Dialer
    • Downloader
    • Dropper
    • Exploit
    • Hacktool
    • Infostealer
    • Keylogger
    • Mail
    • Malware
    • Network
    • Packed
    • PUA
    • Ransomware
    • Rogue
    • Rootkit
    • Spyware
    • Trojan
    • Virus
    • Worm
• tc_detection_name
  • An arbitrary malware family name. This will be displayed as the last part of the reported threat name.
• tc_detection_factor

  • Severity of sample maliciousness, expressed as an integer from 0 (least dangerous) to 5 (most dangerous).The detection factor maps to the risk score like so:

    tc_detection_factor	risk score
    0	5
    1	6
    2	7
    3	8
    4	9
    5	10

info

If the meta section contains non-supported values for tc_detection_type and tc_detection_factor (see above), or does not specify the values at all, the type will be Malware and the family YARA, with a risk score of 10.

🍍 As an example, a text file containing the string "pineapple" with a YARA rule that matches such files (see below), but with no additional detail in the meta section will be classified as Text.Malware.YARA (with a risk score of 10).

rule PineappleDetector : tc_detection malicious
{
    strings:
       $1 = "pineapple"
    condition:
       $1
}

If a file has been classified by a YARA rule, the Static Analysis > Classification section on the Sample Details page includes links to YARA rules that the file has matched. Clicking the link to a ruleset redirects to the yara page containing the selected ruleset and its matches.

To find files tagged by YARA rules on the appliance or in the Spectra Intelligence cloud, use the tag-yara keyword on the Search page. For example, the search query tag-yara:malicious threatname:*ransomware* returns all files classified as malicious by YARA rules, with “ransomware” in their detected threat name.

All files that match the YARA rule are automatically tagged with those custom tags after analysis. If a file has any YARA tags, they can be found in the Static Analysis > Classification > YARA > Tags section on the Sample Details page.

note

Changes to YARA tags are not immediately reflected in the Search results. When a YARA tag is added, changed, or removed from a rule, the files that match the rule must be reanalyzed with Spectra Core first. Alternatively, you can also run a local retro scan.

For example, if a YARA tag “test” is renamed to “test2”, searching for tag-yara:test returns the same results until all matching files are reanalyzed with Spectra Core. After they are reanalyzed, the files can be found with the new tag, tag-yara:test2, and the old tag will not return any results.

How YARA Hunting Works on Spectra Analyze

Spectra Analyze contains default YARA rulesets, but also allows users to create and edit custom rulesets, as well as to synchronize rulesets with other ReversingLabs products.

The default YARA rulesets are called Spectra Core rulesets. They can be accessed by selecting the “Spectra Core Rulesets” option in the filter pull-down menu on the YARA Hunting page. Those rulesets are applied only to local files on the appliance (through Continuous Local Matching). Spectra Core rulesets cannot be saved to the cloud or modified (edited, disabled, or deleted) in any way by any type of user.

Rulesets present on Spectra Analyze by default are open source, and published by ReversingLabs in a public GitHub repository. Additional rulesets can be imported as files, or from online sources, straight from the YARA page. For more information on importing rulesets, refer to the YARA Repository Management chapter.

Files are matched against YARA rulesets on the Spectra Analyze appliance in four different ways.

1. Continuous Local Matching (Default)

   When a YARA ruleset is created on or uploaded to Spectra Analyze, it continuously looks for matches among local files that are added to the Spectra Analyze appliance after the ruleset has been created. This is the default behavior when Spectra Intelligence is not configured on the appliance, and when a YARA ruleset is not saved to Spectra Intelligence.

   Local matches for rulesets cannot be removed from the list of matches on the YARA page.

2. Continuous Cloud Matching

   When a new or existing YARA ruleset is selected to run continuously in the Spectra Intelligence cloud, it looks for matches among files that are added after the ruleset has been created. This includes local files added to the Spectra Analyze appliance, and files in the cloud uploaded through various ReversingLabs services (such as APIs).

   The prerequisite for Continuous Cloud Matching is that the Spectra Analyze appliance is connected to Spectra Intelligence.

   Important Note

   Every Spectra Analyze instance must be connected to a different Spectra Intelligence account. Sharing accounts between multiple instances can interfere with the functionality of the appliance (particularly with YARA rule synchronization). Appliance administrators should ensure that the cloud account credentials are properly configured in the Administration ‣ Configuration ‣ Spectra Intelligence dialog.

   YARA rulesets that are saved to Spectra Intelligence can match up to 10 000 samples. When a ruleset reaches that many matches, it will be capped and new matches will no longer be stored on the Spectra Analyze appliance. To free up space and continue collecting new matches for the ruleset, users have to remove at least 1000 old matches.

   Find more information in the Hunting for Malware in the Spectra Intelligence cloud with YARA section.

3. Retroactive Cloud Matching

   When a new or existing YARA ruleset is selected to run continuously in the Spectra Intelligence cloud, and the YARA Retroactive Hunting feature is enabled on the appliance, the ruleset can be selectively matched against files in the cloud that have been analyzed in the past 90 days.

   The ruleset will continuously look for new matches among local files that are added to the Spectra Analyze appliance while a Cloud Retro scan is in progress.

   Find more information in the Cloud Retro Hunting section.

4. Retroactive Local Matching

   When the YARA Retroactive Hunting feature is started, all rulesets that are active (enabled) on the appliance will be included in a Local Retro scan. This also includes the default Spectra Core rulesets. While a Local Retro scan is in progress, the appliance still continues to analyze new files that are added to the appliance. The processing priority is given to newly added files to prevent delays.

   The Local Retro scan runs against all local files regardless of their age and analysis date. If users want to prevent the Local Retro scan for one or more rulesets, those rulesets have to be disabled on the appliance.

   Local Retro matches for rulesets cannot be removed from the list of matches on the YARA page.

   Find more information in the Local Retro Hunting section.

Understanding the YARA Page

Clicking the Yara item in the top-level menu brings the user to the YARA Hunting page, which displays a list of rulesets (collections of YARA rules) and matching statistics.

Filters

The search bar allows users to filter the list of rulesets by typing the full or partial name of a ruleset. Enclose the search string in quotation marks for exact name matching.

Next to the search bar, several menus allow filtering according to ruleset ownership, status and source (for imported rulesets).

Some notes on the possible choices:

• Under the ownership menu, "User Rulesets" will show all rulesets from all users except the current user ("My Rulesets")
• Under the status menu, you can find rulesets with warnings (for example, with a syntax error), as well as rulesets that were capped in Spectra Intelligence

tip

Filters are reflected in the URL (as query parameters), which means that you can share a filtered page. For example:

?name=yippee-ki-yay&owner=owner_user_jmcclane&status=enabled

...will present a page where the ruleset names contain "yippee-ki-yay", where their owner is user jmcclane (note the "owner_user_" prefix), and where such rulesets are enabled.

Actions

The indicators and buttons in the top right of the page display the actions and status information related to YARA Retroactive Hunting.

• The Add Ruleset button provides the options to create, import or upload rulesets.
• The Actions button allows starting a Local Retro Scan on all active rulesets on the appliance, and contains links to the list of previous retro hunts and YARA repository management. The retro hunt list is also accessible via the Open Retro Hunt List button.
• The gear icon menu allows the users to customize the YARA table columns and date format.
• The synchronization status indicator is visible only if Spectra Intelligence is correctly configured on the appliance, and if at least one YARA ruleset on the appliance is saved in the Spectra Intelligence cloud. Hovering over the indicator with the mouse activates a “Skip To” link that can be used to postpone ruleset synchronization.

Results

If a ruleset is greyed out on the page, it is disabled. Disabled rulesets are not active on the appliance and are not included in any of the Local, Cloud, or Retro scans.

Clicking the star icon next to the ruleset adds it to favorites for the current user. Favorite rulesets are listed in the YARA Matches section on the Dashboard. Up to 10 rulesets can be added to favorites.

Every ruleset has one or more status indicators. Hovering over the indicator icon displays a tooltip with more information about every status.

The far right action menu (☰) for each ruleset contains options for testing, editing, exporting, disabling, and deleting the ruleset, and options to subscribe (create Alerts for new YARA matches) or unsubscribe from a ruleset.

note

Spectra Core rulesets can only be edited and exported, but not disabled or deleted. Selecting the Edit option for a Spectra Core ruleset opens the ruleset editor where the user can preview and copy the contents of the ruleset, but cannot save any changes to it.

Creating New YARA Rulesets

YARA rulesets on the Spectra Analyze appliance can be created from scratch, uploaded as files, or imported from a number of popular online sources. There is also a YARA API.

ReversingLabs products, including Spectra Analyze, support the following YARA modules:

• PE
• ELF
• Dex
• Macho
• String
• Math
• Hash
• Time
• Dotnet

note

“Import” and “include” statements are not supported.

To upload or import rulesets from external files and sources, click the Add Ruleset button at the top right of the YARA page. The dropdown menu offers three options: Create Ruleset, Upload File and Import from Online Sources.

Importing from online sources provides a list of predefined and custom (if configured) sources, and contains an additional step of allowing the selection of which rulesets or individual rules to import. Invalid rules will, depending on the parser, be either imported as disabled or not imported at all.

Once the process finishes, imported rulesets can be edited and synced to other appliances if YARA sync is enabled.

To write a new ruleset, select the Add Ruleset > Create Ruleset option in the top right of the page. This opens the YARA Ruleset Editor

tip

For more information on writing YARA rulesets, consult one of the following sources:

• ReversingLabs publishes guidance for using YARA on the official blog. See the blog posts “Level up your YARA game” , “Writing detailed YARA rules for malware detection” and “Five Uses of YARA” to learn more.
• The official YARA documentation offers detailed advice on how to write YARA rules.
• Use Spectra Core rulesets present on the appliance as reference.

YARA Ruleset Restrictions

• Naming restrictions:
  • YARA ruleset names must be between 3 and 48 characters.
  • The underscore ( _ ) should be used instead of spaces, and any other special characters should be avoided. Ruleset names should only use numbers (0-9) and a-z/A-Z letters.
• Ruleset size restrictions:
  • A ruleset file should not be larger than 4 MB.
  • A ruleset file should not contain more than 5000 individual rules.
  • A ruleset larger than 1 MB (1048576 bytes) cannot be saved and run in the Spectra Intelligence cloud.

When creating a new ruleset in the editor, you can select whether the ruleset will be immediately enabled after saving changes by selecting the Enable Ruleset checkbox. If the checkbox is not selected, the ruleset will be disabled after it is created, and files will not be matched against it until the you enable it.

To save a newly created ruleset in the Spectra Intelligence cloud, select the Run ruleset continuously in Spectra Intelligence checkbox in the ruleset editor.

The appliance administrator can enable automatic upload of YARA rulesets to Spectra Intelligence in the Administration > Configuration > YARA Cloud Settings configuration dialog. If this option is enabled on the appliance, the Run ruleset continuously in Spectra Intelligence option will be automatically selected by default in the YARA ruleset editor.

When done making changes to the new ruleset in the editor, click the Save & Close button. If the new ruleset is validated, it appears in the list of rulesets on the YARA page.

Clicking Save & Publish will save the ruleset and add it to the synchronization queue. This button will be visible only to users with the appropriate user role.

If one or more rulesets are saved in Spectra Intelligence, an indicator of synchronization status is visible in the upper right part of the YARA page.

Editing Rulesets and Restoring Previous Ruleset Versions

All Spectra Analyze users with the appropriate user roles can edit or delete all YARA rulesets on the appliance, except Spectra Core rulesets.

Clicking the Edit item in the ruleset action menu (☰) on the YARA page opens the ruleset editor. The editor allows modifying an existing YARA ruleset, saving it to Spectra Intelligence, and managing different versions of the same ruleset. Users can also manually enable or disable a ruleset by selecting the Enable ruleset checkbox.

Every time a ruleset is edited and saved, a new version of the ruleset is created. The versions are visible both in the Version filter on the ruleset's page and in the YARA ruleset editor.

The statistics about matches of every ruleset version are preserved and displayed, allowing users to compare their efficacy.

In the YARA ruleset editor, the user can restore any previous version of a ruleset to overwrite new changes. Click the History menu to open the pull-down list with ruleset versions. Click the Load link next to the ruleset version that should be restored, then click the Save button to apply changes and activate the selected version.

Clicking Save & Close returns to the YARA page after saving changes, while clicking Save allows the user to remain in the ruleset editor and keep making changes. It is not possible to save an empty ruleset (a ruleset without any text in the Rules field), or a ruleset without a name.

The Save & Publish button saves the ruleset and add it to the synchronization queue. This button is visible only to users with the appropriate user role.

Optionally, test the ruleset before saving and/or publishing to check if it’s correctly matching the desired samples.

The ruleset editor also displays information about the user who added the ruleset, and the user who last edited it.

Editing a ruleset does not change its ownership. For example, if user test1 creates a ruleset and another user test2 saves changes to the same ruleset, user test1 is still the owner of the ruleset. In this scenario, only the user test1 can delete the ruleset.

When a user account is deleted from the Spectra Analyze appliance, all YARA rulesets owned by that deleted user are automatically transferred to the administrator account that deleted the user.

Validation indicators visible on the main YARA page are also displayed in the ruleset editor. Depending on the modifications made to the ruleset, the validation indicators can change (for example, when a ruleset is saved to Spectra Intelligence).

YARA Test Run Page: Testing Rulesets

When writing a new ruleset in the editor, you can test run a ruleset against a predefined set of samples to check if the ruleset matches everything it should. The YARA Test Run page can be accessed via the ruleset editor, or using the Test Ruleset option in the (☰) menu of a particular ruleset in the table.

Samples can be added to the testing page either directly by hash, or using tags. You can select up to 5 tags, which will load 100 latest submitted samples from the selected tags. If unsure about a specific tag name, the tag menu also serves as a search box. Once the page is populated with samples, you can tweak the ruleset by clicking the Edit Ruleset button, or perform a YARA test run by clicking the Run Test button.

After the test is complete, the samples list shows the test results in the far right column of the table. If you tweak the ruleset again and Retest it, new test results will show up alongside the old ones in the rightmost column. This way, you can compare the results of up to four previous runs. Test result icons, when clicked, open up a hex preview with the highlighted portion of the binary that was matched in the test run, as well as its ASCII representation.

Run New Test clears the previous results.

Enabling and Disabling Rulesets

note

YARA rulesets cannot be enabled or disabled while their Cloud or Retro validation is pending, or while a Retro scan on the rulesets is in progress.

For individual rulesets: on the right side of the page, click the triple bar button (☰) to open the ruleset action menu. In the menu, click Enable or Disable. Alternatively, click the ruleset to open its page showing a list of matches, and disable the "Enable Ruleset" switch in the top right of the page.

For multiple rulesets at once: select the checkboxes to the left of each ruleset name. When the rulesets are selected, open the main action menu by clicking the triple bar button (☰) in the toolbar, on the right side of the YARA page. In the menu, select the Enable or Disable option.

The YARA page dynamically displays rulesets as enabled or disabled, one by one.

Managing YARA Ruleset Matches

Every ruleset on the YARA page can be clicked to show a list of files that matched one or more YARA rules in the selected ruleset.

When a ruleset is opened, various statistics are displayed below the ruleset name and filters: Total Matched Samples, Most Matched Rule, Most Matched Format, Most Matched Threat Type. The top right of the page contains options to Edit Ruleset, and an Actions menu allowing the users to test, edit, export, disable or delete the ruleset, and to subscribe/unsubscribe. In addition to these buttons, there are switches to enable/disable the ruleset, and to run the ruleset in Spectra Intelligence cloud.

To the right of the statistics boxes is an arrow button that expands each of the statistics into a graphical display. Colored sections on the graph can be clicked to actively filter out the results table below.

The table can also be filtered using the dropdown menus at the top of the ruleset’s page: by ruleset version, by a specific rule, classification, format, threat type and the first seen date.

Several different filters can be active at the same time. The filters can be cleared to their default values by clicking the Clear button.

Ruleset matches can be filtered to display only those files that matched a particular rule. To do that, select the rule in the pull-down list under the ruleset name.

The information about ruleset matches is divided into columns. All columns can be sorted in ascending or descending order by clicking the column name.

From left to right, the columns are:

• source indicator (local or cloud; if the file is not available for download from Spectra Intelligence, a light gray cloud icon is displayed),
• status indicator (as explained in the Quick Guide to Spectra Analyze section),
• time when the file matched the selected ruleset,
• time when the sample was first seen,
• time when the sample was last seen,
• threat name (if detected; applies to malicious and suspicious samples only),
• file name (or SHA1 hash),
• name of the YARA rule that triggered the match,
• file format (for cloud matches, displays “Unknown” if file format information for a sample is not stored in the Spectra Intelligence cloud),
• the number of extracted files,
• the file size.

The right side of the page contains two buttons with more options to filter the list of ruleset matches:

On the right side of every match in the list, there is a triple bar button (☰) that activates the actions menu with different options.

For local matches, the options include:

• Delete sample - removes the submission. This action is visible to users only for files and URLs they have submitted themselves. Regular users cannot delete files and URLs submitted by other users. Administrators can see this menu item for all submissions, and delete all submissions regardless of who created them.
• Copy to my submissions - available only if the sample was submitted by a different user. Selecting this adds the sample to the submissions for the current user.
• Download sample - downloads the file from the appliance to the local storage
• Download container - if the file is extracted, downloads its top-most parent from the appliance to the local storage
• Set classification - allows users to manually override file classification
• Subscribe and Unsubscribe - adds or removes the file from alert subscriptions
• Reanalyze - allows users to reanalyze the file with static, dynamic, or Spectra Intelligence analysis services
• Download Extracted Files - downloads files extracted during analysis to local storage

For cloud and cloud retroactive hunting matches, the options include:

• Fetch & Analyze - downloads the file to the appliance
• Reanalyze on Spectra Intelligence - reanalyzes individual files using the Spectra Intelligence analysis services
• Subscribe and Unsubscribe - adds or removes the file from alert subscriptions

Clicking a row in the list of matches expands it to show additional information about the file, as described in the Expanded Details section.

Clicking the file name opens the local or the Spectra Intelligence version of the Sample Details page for the selected file, depending on if the sample is locally available.

Performing Bulk Actions on Ruleset Matches

Multiple files can be selected in the list of ruleset matches, and supported bulk actions can be performed on them.

Select the checkboxes on the left side of each individual file, or click the Select all N YARA matches link that appears above the list of matches when at least one sample is selected. It is also possible to select all matches by clicking the Select All checkbox on the left side of the Match Time column.

When one or more files are selected, the bulk action menu (☰) appears on the right side of the list (next to the Size column).

For local matches, the supported bulk actions include:

• Download samples - downloads the files from Spectra Analyze to the local storage
• Reanalyze - allows users to reanalyze the files with static, dynamic, or Spectra Intelligence analysis services
• Subscribe and Unsubscribe - adds or removes the files from alert subscriptions
• Apply tags - allows users to add custom tags to selected files
• Export data - exports information about selected files as a CSV file
• Download Extracted Files - downloads files extracted during analysis to local storage

For cloud and retro matches, the supported bulk actions include:

• Fetch & Analyze - downloads and analyzes the files to the Spectra Analyze appliance
• Remove - removes selected files from the list of matches for that particular ruleset
• Subscribe and Unsubscribe - adds or removes the files from alert subscriptions
• Download samples - downloads the files from Spectra Analyze to the local storage
• Export data - exports information about selected files as a CSV file
• Download Extracted Files - downloads files extracted during analysis to local storage

The exported CSV file with YARA matches contains the following information:

• threat status,
• risk score
• threat name (if detected),
• time when the file matched the selected ruleset,
• file name,
• YARA rule that triggered the match;
• file format;
• the number of extracted files,
• the file size.

Managing YARA Rulesets with Warnings

Some YARA rulesets can slow down file processing on the Spectra Analyze appliance due to their length, scope, and other factors.

When uploading, editing, enabling and disabling such rulesets, the Spectra Analyze appliance displays a notification. The ruleset(s) are marked with a warning icon on the YARA Hunting page.

It is possible to filter the YARA Hunting page to display only rulesets with warnings by choosing the Rulesets with warnings item from the pull-down menu on the right. Those rulesets can then be disabled or edited to resolve the issue.

It takes some time for the system to update the ruleset status, so the warning icon does not disappear immediately after modifying a problematic ruleset.

Appliance administrators can access the list of rulesets with warnings from the Scale section of the System Status page. If there are any rulesets with warnings, the YaraWarnings icon will not be green, and will show the number of warnings instead.

Clicking the icon redirects to the YARA Hunting page filtered to display only rulesets with warnings. Here the offending rulesets can be edited or disabled to improve the processing speed of the appliance.

Hunting for Malware in the Spectra Intelligence cloud with YARA

By default, rulesets only run on files processed on the Spectra Analyze appliance (through Continuous Local Matching).

However, rulesets can be synchronized with Spectra Intelligence and run on a massive amount of files processed daily by ReversingLabs systems, greatly expanding the potential for YARA matches. If YARA Retroactive Hunting is enabled on the appliance, rulesets synchronized with Spectra Intelligence can also be run on files analyzed in the Spectra Intelligence cloud over the last 90 days.

To synchronize a YARA ruleset with Spectra Intelligence:

• Click the ruleset's name on the YARA page to open the page displaying a list of its matches. Enable the Run Ruleset in Cloud switch in the top-right corner of the page.

• Open the ruleset editor by clicking the Edit item in the ruleset action menu (☰). In the editor, select the Run ruleset continuously in Spectra Intelligence checkbox and click the Save or Save & Close button.

• Alternatively, the appliance administrator can enable automatic upload of YARA rulesets to Spectra Intelligence in the Administration > Configuration > YARA Cloud Settings configuration dialog. If this option is enabled on the appliance, the Run ruleset continuously in Spectra Intelligence option is automatically selected by default in the YARA ruleset editor.

When synchronized with Spectra Intelligence, the ruleset displays a cloud status indicator on the YARA page. Additionally, an indicator of synchronization status is visible in the upper right part of the YARA page. The indicator displays the date and time of last synchronization, and allows skipping the synchronization until the next day.

The number of matches stored for a ruleset synchronized with Spectra Intelligence is currently capped at 10 000 to limit the impact on Spectra Analyze. If a ruleset has hit this limit, its CLOUD status indicator on the YARA page gets a red X badge icon. New matches are no longer preserved for a ruleset that hits this limit.

If the appliance administrator has enabled the Automatic disabling of Cloud enabled YARA rulesets option in the Administration > Configuration > YARA Cloud Settings configuration dialog, every ruleset that reaches the limit are automatically de-synchronized from Spectra Intelligence.

To continue receiving new cloud matches for a ruleset that has reached the limit, users have to remove previous retro results from the ruleset’s action menu (☰) by clicking the Clear Retro Hunt option. Alternatively, open the ruleset’s page, configure the filters so no matches of importance are removed, select all samples in the table and and pick the Clear Cloud Matches option from the upmost (☰) menu.

To clear matches even more selectively, configure the filters, sort the table by source (click the first table column title so that the cloud matches are listed first) and select individual samples or entire pages of results and use the Clear Cloud Matches option on the selected samples.

Synchronizing YARA Rulesets with Other Appliances

note

Only appliance administrators can access the option to synchronize YARA rulesets.

If the Spectra Analyze appliance is connected to the ReversingLabs Spectra Detect Manager, it is possible to synchronize YARA rulesets to other appliances (Spectra Analyze, Spectra Detect Worker) connected to the same Spectra Detect Manager.

The synchronization needs to be configured on Spectra Detect Manager first, and then enabled in the Spectra Detect Manager section of the Spectra Analyze System Configuration page.

Select the Enable Syncing checkbox to enable YARA rule synchronization to other appliances from the current Spectra Analyze instance. When synchronization is enabled, every new ruleset created on the appliance automatically gets sent to the Spectra Detect Manager, and from there to other appliances that support YARA rule synchronization.

The synchronization is bidirectional, so any changes made to YARA rules on other appliances connected to Spectra Detect Manager also reach the current Spectra Analyze instance. New rulesets automatically appear on the Spectra Analyze YARA page. Rulesets retrieved from other appliances via Spectra Detect Manager synchronization are not visually distinguished from other rulesets on the YARA page.

Ruleset synchronization includes deleting and disabling rulesets. Deleting a ruleset on one appliance also deletes it on the others, if they are synchronized via Spectra Detect Manager.

When creating, deleting or editing rulesets, only users with the YARA Publish and Delete permission have the additional options to Save & Publish / Delete & Publish that add the ruleset action to the synchronization queue. Other users with the appropriate, YARA, permission are only able to manage rulesets locally.

Important notes

1. Spectra Core rulesets are not synchronized.
2. If two users on different appliances make changes to the same ruleset at the same time, only the changes from the appliance that syncs with Spectra Detect Manager first will be applied. Synchronization with Spectra Detect Manager happens approximately every ten minutes.

YARA Status

If YARA syncing is enabled, the YARA page shows a YARA Status indicator to show the current synchronization status, and to indicate if any rulesets are out of sync. In case some rulesets are not synchronized, which is indicated by a red X badge, users can click the Show Status link to see which rulesets are not synchronized and Republish them.

YARA Repository Management

YARA rulesets can be imported from preconfigured online repositories or from custom GitHub repositories added by admins or authorized users.

To add a new repository, navigate to Administration > YARA Repositories or select Actions > Manage YARA Repositories.

Click the Add Repository button, then enter the repository URL and name (both mandatory), along with the API token if the repository requires authentication.

For private GitHub repositories, you can use either:

• Fine-grained personal access token: Grant access to the specific repository by selecting it during token creation and enabling the Contents > Read-Only permission.
• Classic personal access token: Use the repo scope to allow access. While this grants read and write access to all repositories, Spectra Analyze will only use it to retrieve rulesets from the specified repository.

Repositories can be set to automatically update and/or import new or modified rulesets. If enabled, the system will monitor the repository for changes, and any updates will be imported by the yara_import_service_user account.

If automatic updates or imports are not enabled, the repository will appear in the Import From Online Sources list, and rules will only be imported when a user manually triggers the import. In this case, the imported rules will be owned by the user performing the import.