Advanced Malware Detection with YARA Integration
Learn how to integrate YARA rules into Pompelmi for advanced malware detection in file uploads.
Advanced Malware Detection with YARA Integration
While MIME validation and ZIP inspection catch many threats, sophisticated malware requires more advanced detection. That’s where YARA comes in.
What is YARA?
YARA (Yet Another Ridiculous Acronym) is a pattern matching tool designed for malware researchers. It allows you to create rules that identify malicious files based on textual or binary patterns.
Why Combine Pompelmi + YARA?
Pompelmi’s built-in protections handle common attacks, but YARA adds:
- Custom signature detection for known malware families
- Behavioral pattern matching for suspicious code
- Domain-specific rules tailored to your threat model
- Community-driven rule sets from security researchers
Setting Up YARA with Pompelmi
Installation
npm install pompelmi @pompelmi/engine-yara @pompelmi/express-middlewareBasic Configuration
import { createUploadGuard } from '@pompelmi/express-middleware';import { composeScanners, CommonHeuristicsScanner } from 'pompelmi';import { createYaraScanner } from '@pompelmi/engine-yara';
const yaraScanner = createYaraScanner({ rulesPath: './rules/malware-detection.yar' });
const scanner = composeScanners( [ ['heuristics', CommonHeuristicsScanner], ['yara', yaraScanner], ], { parallel: false, stopOn: 'malicious' });
const guard = createUploadGuard({ scanner, failClosed: true });Creating YARA Rules
Here’s a simple rule to detect EICAR test files:
rule EICAR_Test_File { meta: description = "EICAR test file" author = "Pompelmi Team"
strings: // Do not store the literal EICAR string in source — it triggers AV on developer machines. // Obtain the official string from https://www.eicar.org/download-anti-malware-testfile/ $eicar = { 58 35 4F 21 50 25 40 41 50 5B 34 5C 50 5A 58 35 34 28 50 5E 29 37 43 43 29 37 7D 24 45 49 43 41 52 2D 53 54 41 4E 44 41 52 44 2D 41 4E 54 49 56 49 52 55 53 2D 54 45 53 54 2D 46 49 4C 45 21 24 48 2B 48 2A }
condition: $eicar}Advanced Pattern Matching
Detect suspicious PowerShell scripts in uploaded files:
rule Suspicious_PowerShell { meta: description = "Detects potentially malicious PowerShell"
strings: $download1 = "DownloadString" nocase $download2 = "DownloadFile" nocase $exec1 = "Invoke-Expression" nocase $exec2 = "IEX" nocase $bypass = "ExecutionPolicy Bypass" nocase
condition: any of ($download*) and any of ($exec*) or $bypass}Real-World Integration Example
Complete setup for a production Express application:
import express from 'express';import multer from 'multer';import { createUploadGuard } from '@pompelmi/express-middleware';import { composeScanners, CommonHeuristicsScanner, createZipBombGuard } from 'pompelmi';import { createYaraScanner } from '@pompelmi/engine-yara';
const upload = multer({ storage: multer.memoryStorage() });const app = express();
const yaraScanner = createYaraScanner({ rulesPath: './security-rules/', timeoutMs: 30_000,});
const scanner = composeScanners( [ ['zipGuard', createZipBombGuard({ maxEntries: 500 })], ['heuristics', CommonHeuristicsScanner], ['yara', yaraScanner], ], { parallel: false, stopOn: 'malicious', tagSourceName: true });
const guard = createUploadGuard({ includeExtensions: ['pdf', 'jpg', 'png'], maxFileSizeBytes: 10 * 1024 * 1024, failClosed: true, scanner, onScanEvent: (ev: unknown) => { const event = ev as Record<string, unknown>; if (event.verdict !== 'clean') { console.error('Threat detected:', event); } },});
app.post('/upload', upload.single('file'), guard, (req, res) => { res.json({ ok: true });});Performance Considerations
YARA scanning is computationally intensive. Optimize performance with:
1. Rule Organization
Group related rules and use fast conditions first:
rule Optimized_Detection { condition: filesize < 10MB and // Fast check first any of them // Then pattern matching}2. Timeout Configuration
Prevent slow scans from blocking your application:
{ yaraTimeout: 10000, // 10 second limit yaraMaxFileSize: 50 * 1024 * 1024 // Skip large files}Related posts:
- Pompelmi vs ClamAV: choosing the right scanner
- Reason codes and security observability
- CI/CD: scanning build artifacts with Pompelmi
app.post('/upload', upload.single('file'), async (req, res) => { // Accept upload immediately res.json({ uploadId: req.file.id, status: 'pending' });
// Scan in background await scanFileAsync(req.file.path);});Community Rule Sets
Leverage existing YARA rules:
- YaraRules Project: Community-maintained malware signatures
- Awesome YARA: Curated list of detection rules
- Custom Rules: Tailor to your specific threats
Monitoring and Alerts
Track detection metrics:
const scanner = createExpressAdapter({ onThreatDetected: (result) => { metrics.increment('threats.detected'); metrics.tag('rule', result.ruleName);
logger.warn('Malware detected', { file: result.filename, rule: result.ruleName, ip: result.clientIp }); }});Conclusion
YARA integration transforms Pompelmi from a file validator into a comprehensive malware detection system. Start with basic rules and expand as you identify threats specific to your application.
Ready to enhance your security posture? Continue with When to Use Pompelmi + YARA for implementation tradeoffs and rollout guidance.