Note, that it can be integrated with radare2[1], the reverse engineering framework and toolset. The integration will allow you to apply and generate YARA signatures from within. There are two plugins - to use radare2 from Yara[2], and Yara from radare2[3]. The second one you can install using the embedded r2 package manager: `r2pm -i yara`

[1] https://github.com/radareorg/radare2

[2] https://r2yara.readthedocs.io/en/latest/

[3] https://github.com/radareorg/radare2-extras/tree/master/yara

Fun fact: XProtect on macOS uses YARA to match known malicious software. The database is at /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara if you'd like to look at it yourself.

Yep. And YARA lives at /System/Library/PrivateFrameworks/yara.framework

I had a problem a few years ago with YARA consuming all CPU time while on battery and never finishing whatever it was doing.

On macOS, see also:

   /System/Library/PrivateFrameworks/yara.framework 

   man yara

PS: I wish VirusTotal had a high-rate, free API that could used as the basis for local endpoint scanners.

Love me some Yara. It’s totally the best.

YARA reminds me of the venerable "file" utility, and I wonder if YARA could be used in place of it to identify non-malware files that "file" has trouble identifying.

The syntax isn't as nice as YARA's, but you can extend file's capabilities if you need by writing a custom magic file - see 'man 5 magic'.

YARA is amazing, anybody have some good collections of rules?

"site:github.com filetype:yar" usually yields a few good ones. It's probably easier if you're more specific as to which specific use case you have in mind.

And yes, Yara is a godsend. :)

How well do these tools work against code built using obfuscating compilers?

YARA - Yet Another Regex App

Yara is an awesome tool