🛡 Malware Signature Scanner
A Python-based malware signature scanner using YARA — ideal for detecting malicious files through custom rules.
⸻
🧩 Libraries Used
The project uses a mix of standard Python libraries and one third-party module:
Library Description zipfile Standard Python module to read and extract .zip archive files. Used to scan inside compressed malware samples. rarfile Third-party library to handle .rar archive files. Lets the scanner look inside RAR-compressed malware samples. Requires unrar or rarfile backend installed. os Provides access to OS-level functionality like file paths, directory walking, and environment variables. threading Used to create concurrent scanning threads, allowing the scanner to process multiple files at the same time (improves performance on large datasets). queue Thread-safe queue structure used to pass file paths between producer (scanner) and consumer (worker threads). Helps coordinate multi-threaded execution safely. hashlib Computes cryptographic hashes (like SHA-256) for files. Useful for identifying duplicates, logging, and creating unique signatures. fnmatch Simplifies filename pattern matching using Unix shell-style wildcards. Helps identify files like *.exe, *.dll, or *.js when scanning folders.
These libraries collectively support: • Archive unpacking (zipfile, rarfile) • Efficient file traversal (os, fnmatch) • Concurrent file scanning (threading, queue) • File fingerprinting (hashlib)
⸻
Purpose
This tool mimics antivirus signature scanners, using YARA rules to identify malware in files and directories. It logs detections and offers flexibility via command‑line options.   
⸻
Features • Scan directories or individual files for YARA rule matches • Read rules from workspace or user-specified folder • Log detections with timestamps • Flexible CLI for custom scans:
python3 MalwareSig.py -r /path/to/rules -m /path/to/samples
⸻
Dependencies & Installation • Python 3.8+ • yara-python – Python bindings for YARA (pattern-matching engine)
Install YARA:
pip3 install yara-python
⸻
Usage
^python3 MalwareSig.py
^python3 MalwareSig.py -r rules/ -m test_samples/
^python3 MalwareSig.py -h
Detected logs are saved in the logs/ directory with timestamps.
⸻
Project Structure
/ ├── logs/ # Detection logs ├── malware_files/ # Sample files to scan ├── rules/ # YARA rule files ├── MalwareSig.py # CLI + scan orchestrator └── YaraScanner.py # YaraScanner class for rule compilation & scanning
⸻
How It Works
Inside YaraScanner.py: 1. make_dict() builds a mapping of rule file names to paths, for compilation 2. scan_files() compiles rules and iterates samples 3. yara_sig_check() applies rules to files, logs any matches
MalwareSig.py handles argument parsing, dispatches to YaraScanner, and manages log generation.
⸻
Sources & References • Inspired by a university project demonstrating YARA-based signature scanning  • Uses YARA—a leading malware pattern engine, portable across Windows/Linux/macOS and scriptable via yara-python
⸻
Next Steps • Add interactive CLI instead of flags • Module-wide scanning (entire drives) • Implement signature updates from a remote feed to mimic real antivirus workflows
⸻
License
(Include your chosen license, e.g., MIT, Apache 2.0, or an academic honor code statement as before.)
⸻
Note: This README template is formatted for GitHub display. Adjust paths and functionality as your code evolves.
⸻
Nice! Adding those extras will really level up the project presentation and make it more developer-friendly. Here’s a full expansion of your README.md with the additional sections:
⸻
✅ Testing Instructions
You can test the scanner with sample files and YARA rules included or custom ones:
- Use Included Samples
python3 MalwareSig.py
This will: • Scan files in the malware_files/ folder • Use YARA rules from the rules/ folder • Write detections to a timestamped .log file in the logs/ directory
- Test With Your Own Files & Rules
python3 MalwareSig.py -r /your/rules/path -m /your/samples/path
- Example Output
[2025-06-09 13:05:22] MATCH: Rule 'Suspicious_JS' in file '/test/malware.js'
⸻
📄 Example YARA Rule
rule Suspicious_JS { meta: description = "Detects obfuscated JavaScript with eval and hex" strings: $eval = "eval(" $hex = /\x[0-9a-fA-F]{2}/ condition: $eval and $hex }
Save as rules/suspicious_js.yar and run the scanner against a folder containing suspicious .js files.
⸻
🔁 CI/CD Integration (Optional Setup)
If you’d like to integrate this scanner into a CI/CD pipeline (for example: scanning uploaded files in a dev/test flow), here’s a basic GitHub Actions setup:
.github/workflows/yara-scan.yml
name: YARA Malware Scanner
on: push: paths: - '.py' - 'rules/' - 'malware_files/**'
jobs: scan: runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.10'
- name: Install dependencies
run: pip install yara-python rarfile
- name: Run scanner
run: python3 MalwareSig.py -r rules/ -m malware_files/
This will automatically scan files in your repo each time you push new changes to rules/ or malware_files/.
⸻
🔍 Advanced Enhancements (Ideas)
If you want to take it even further: • ✅ Add automatic rule updates from a GitHub or external feed • 🔄 Enable real-time directory monitoring (with watchdog) • 🧪 Include unit tests using unittest or pytest for core methods in YaraScanner.py • 🌐 Integrate with a web dashboard for scan results (Flask or FastAPI) • 📬 Send email/Slack alerts when signatures match
👥 Authors • Daniel Vihorev • Ilay Zendani(Cyber Consultent)
(Wild Life Cyber Security)
⸻
📜 License
All rights reserved to Daniel Vihorev and Ilay Zendani (Wild Life Cyber Security). For educational or private use only. Commercial usage prohibited without written permission.
⸻