{"id":14155604,"url":"https://github.com/evilsocket/sauron","last_synced_at":"2025-09-17T23:32:16.048Z","repository":{"id":66844728,"uuid":"525785789","full_name":"evilsocket/sauron","owner":"evilsocket","description":"A minimalistic cross-platform malware scanner with non-blocking realtime filesystem monitoring using YARA rules.","archived":false,"fork":false,"pushed_at":"2022-08-19T11:57:58.000Z","size":54,"stargazers_count":214,"open_issues_count":1,"forks_count":12,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-12-30T20:51:24.219Z","etag":null,"topics":["malware","scanner","signature","signatures","virus","yara"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/evilsocket.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-08-17T12:40:31.000Z","updated_at":"2024-12-12T12:30:33.000Z","dependencies_parsed_at":"2023-03-13T20:29:08.752Z","dependency_job_id":null,"html_url":"https://github.com/evilsocket/sauron","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evilsocket%2Fsauron","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evilsocket%2Fsauron/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evilsocket%2Fsauron/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evilsocket%2Fsauron/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/evilsocket","download_url":"https://codeload.github.com/evilsocket/sauron/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":233430341,"owners_count":18675067,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["malware","scanner","signature","signatures","virus","yara"],"created_at":"2024-08-17T08:04:23.233Z","updated_at":"2025-09-17T23:32:10.738Z","avatar_url":"https://github.com/evilsocket.png","language":"Rust","readme":"Sauron is a minimalistic, YARA based malware scanner with realtime filesystem monitoring written in Rust.\n\n## Features\n\n* Realtime scan of created and modified files supporting Linux `inotify`, macOS `FSEvents`, Windows `ReadDirectoryChanges` and polling for other platforms.\n* YARA engine complete support.\n* Single scan mode to scan a folder, report results and exit.\n* Parallel scanning using a configurable thread pool.\n* Log, text and JSON reporting.\n\n### Known Limitations\n\nDue to the filesystem monitoring mechanism, Sauron is extremely lightweight and non invasive as more sophisticated AV solutions, however this comes with the following limitations:\n\n* Scanning files with an exclusive lock by other processes will likely fail with a `Permission Denied` error.\n* Malicious files creation and execution won't be blocked but just reported.\n* [Fileless malware](https://en.wikipedia.org/wiki/Fileless_malware) won't be detected.\n* Detected files won't be linked to originating processes.\n\n## Building\n\n```sh\ncargo build --release\n```\n\n### Dependencies\n\nYour system must have `libssl-dev` installed. For Ubuntu-derivatives this can be installed via `sudo apt install libssl-dev`. \n\n## Running \n\nAssuming you have your YARA rules in `./yara-rules` (you can find [plenty of free rules](https://github.com/InQuest/awesome-yara) online):\n\n```sh\nsudo ./target/release/sauron --rules ./yara-rules\n```\n\n![screenshot](https://i.imgur.com/Dw5N9RR.png)\n\n## Single Scan\n\nAlternatively you can perform a one-time recursive scan of the specified folder using the `--scan` argument:\n\n```sh\nsudo ./target/release/sauron --rules ./yara-rules --scan --root /path/to/scan\n```\n\nYou can specify which file extensions to scan (all by default) with the `--ext` argument:\n\n```sh\nsudo ./target/release/sauron \\\n    --rules ./yara-rules \\\n    --scan \\\n    --root /path/to/scan \\\n    --ext exe \\\n    --ext elf \\\n    --ext doc \\\n    --ext docx\n```\n\n## Reporting\n\nVarious options are available for reporting:\n\n* `--report-clean` will also report clean files.\n* `--report-errors` explicitly report errors (reported as debug logs by default).\n* `--report-output \u003cFILENAME\u003e` will write scan reports to a file.\n* `--report-json` if `--report-output` is passed, write as JSON instead of text.\n\n## Other options\n\nRun `sauron --help` for the complete list of options. \n\n## License\n\nThis project is made with ♥  by [@evilsocket](https://twitter.com/evilsocket) and it is released under the GPL3 license.\n","funding_links":[],"categories":["malware"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fevilsocket%2Fsauron","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fevilsocket%2Fsauron","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fevilsocket%2Fsauron/lists"}