The Wordfence Intelligence Malware Detection Feed provides YARA rules that can be used to scan filesystems and other data sources for malware.
This endpoint accepts no additional parameters and always returns the complete Malware Detection Feed.
The Malware Detection Feed is provided as plain-text (as opposed to platform-specific, precompiled) YARA rules. This file can be used directly with the YARA CLI to scan files for malware.
yara /path/to/malware_detection_feed.yara /some/path/to/scan
Many other tools can also directly consume YARA rules and custom implementations can also be created using either the
yara-python library or directly using the
libyara C API. The Wordfence Intelligence Malware Detection feed is compatible with any tools or libraries that support YARA.
The Wordfence Intelligence Malware Detection Feed is tested using YARA 3.9.0 and is intended to be compatible with YARA versions 3.9.0 and later.
Rules in the Malware Detection Feed are tagged with with the category of malware they detect as well as the language or filetype associated with the malware. Note that these tags can be used for filtering purposes but do not perform any filtering by default.
The current category tags include:
The current filetype tags include:
It is possible to filter output by tag in the YARA CLI client using the
--tags= switch. For example to recursively scan the current directory and only print files that match a rule tagged with
Backdoor, you can use the following command:
yara -r --tag=Backdoor malware_detection_feed.yara .
The full documentation for our targeted version of YARA can be found at https://yara.readthedocs.io/en/v3.9.0/. Further information on running YARA from the command line can be found at https://yara.readthedocs.io/en/v3.9.0/commandline.html.