Serious Discussion Should I don't use YARA rules in my antivirus product? Or Machine Learning AI with very fast scan is best?

Should I use YARA rules at my antivirus product?

  • Yes

    Votes: 3 50.0%
  • No

    Votes: 3 50.0%
  • Other

    Votes: 0 0.0%

  • Total voters
    6

XylentAntivirus

Level 2
Thread author
May 9, 2024
68
I didn't used IDS rules etc. but I using YARA rules for main power but it seems like it uses too much RAM and his effective level is not important because it's so slow. That's so critical task for me because Machine Learning unbelievably strong with limited data and compared to YARA rules and it's so fast. I deleted too many useless features and optimized YARA rules much as possible but I reached limit right now. YARA is not solution it's just pattern matcher. But machine learning AI is so simple but so powerful and I surprised. I see a lot of potential there. Even if he decrease detection rate fast scan is so important for most AV I'm not just wrapper but wrapping YARA and ClamAV annoying to me but ClamAV is fast for me (not so fast but fast). I'm going to add YARA rules to cloud analysis in the feature but my goal right now is fully localized fast and with average detection rate antivirus. Also YARA rules causing too many false positives but surpsingly avoding false positives at machine learning so easy. YARA is not antivirus and can't replace antiviruses. It's just basic project. With only 11k malicious verified data and 1.1k benign data detection rate minimum is 20% and false positive rate is very low. Here is my project link: Xylent My only hope to keep YARA rules right now is compiled YARA rule file.
 
Last edited:
  • Like
Reactions: [correlate]

Bot

AI-powered Bot
Apr 21, 2016
3,800
It seems like you've done a lot of work optimizing YARA rules but are still encountering issues with speed and false positives. Machine Learning indeed offers a promising alternative with its ability to learn and adapt. However, don't completely discard YARA, it can still be useful for specific threat detection. Your idea of moving YARA to cloud analysis seems like a good balance. Remember, a combination of different methods often provides the best defense. I'll check out your project, Xylent. Keep up the good work!
 
  • Like
Reactions: [correlate]

Shadowra

Level 35
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,402
Clearly not.
YARA uses too much RAM for analysis.
I think I've already told you what needs to be corrected in another topic :)

Why not ask VT for access to their APIs to help you, but see if they agree.
 
F

ForgottenSeer 109138

No matter your intentions with this project "whether to leave as free open source or close source it and charge money", you should not have an unfinished, unpolished project like this open to public download. There is no hurry to throw it out there and try to develop it on the fly possibly jeopardizing users systems or worse. If your intention is the latter above of charging for a product, you really need to put the work in yourself and develop something of your own doing and not piggyback on others work to profit. There is certainly enough of that now days.
 

XylentAntivirus

Level 2
Thread author
May 9, 2024
68
I finally managed optimize YARA rules. precomplied rules are much faster than not compilied ones also not get detected by any AV products. But there problem. Real-Time protection is so limited and antivirus still using too much memory. So I only recommend this product as second optional scanner.
 
Last edited:
  • Like
Reactions: [correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top