{"id":46160979,"url":"https://github.com/jpcertcc/yamagoya","last_synced_at":"2026-03-02T11:02:08.824Z","repository":{"id":323870019,"uuid":"1011212020","full_name":"JPCERTCC/YAMAGoya","owner":"JPCERTCC","description":"Yet Another Memory Analyzer for malware detection and Guarding Operations with YARA and SIGMA ","archived":false,"fork":false,"pushed_at":"2025-11-12T14:08:03.000Z","size":1157,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-11-12T16:08:19.919Z","etag":null,"topics":["security","sigma","threat-hunting","yara"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JPCERTCC.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-06-30T13:23:10.000Z","updated_at":"2025-11-12T14:08:08.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/JPCERTCC/YAMAGoya","commit_stats":null,"previous_names":["jpcertcc/yamagoya"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/JPCERTCC/YAMAGoya","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2FYAMAGoya","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2FYAMAGoya/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2FYAMAGoya/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2FYAMAGoya/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JPCERTCC","download_url":"https://codeload.github.com/JPCERTCC/YAMAGoya/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2FYAMAGoya/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29999223,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-02T09:59:02.300Z","status":"ssl_error","status_checked_at":"2026-03-02T09:59:02.001Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["security","sigma","threat-hunting","yara"],"created_at":"2026-03-02T11:02:07.999Z","updated_at":"2026-03-02T11:02:08.745Z","avatar_url":"https://github.com/JPCERTCC.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\u003cimg src=\"images/yamagoya_logo.png\" width=\"600\"\u003e\u003c/div\u003e \n\n## Concept\n\n**YAMAGoya** (Yet Another Memory Analyzer for malware detection and Guarding Operations with YARA and Sigma) is a C# application that leverages [Event Tracing for Windows (ETW)](https://learn.microsoft.com/en-us/windows/win32/etw/event-tracing-portal) to capture real-time system events. It applies detection rules written in YAML format (for custom correlation logic) and can also parse **Sigma** rules for standardized threat detection. In addition, it supports in-memory scanning using **YARA** to detect fileless or stealth malware.\n\nThe tool runs entirely in **userland**, avoiding kernel-mode dependencies and simplifying integration with community-based signatures.\n\n**[日本語版README](README_jp.md)**\n\n## Table of Contents\n- [Features](#features)\n- [Download Binary Version](#download-binary-version)\n- [Build and Installation](#build-and-installation)\n - [Prerequisites](#prerequisites)\n - [Command-Line Build](#command-line-build)\n- [How to Use](#how-to-use)\n - [Command-Line](#command-line)\n - [GUI Usage](#gui-usage)\n- [Examples for Command-Line](#examples-for-command-line)\n - [Starting an ETW Session](#starting-an-etw-session)\n - [Stopping an ETW Session](#stopping-an-etw-session)\n - [Applying Detection Rules (YAML)](#applying-detection-rules-yaml)\n - [Applying Detection Rules (Sigma)](#applying-detection-rules-sigma)\n - [Enabling Memory Scanning](#enabling-memory-scanning)\n - [Monitoring Specific Event Types](#monitoring-specific-event-types)\n - [Logging Configuration](#logging-configuration)\n - [Advanced Configurations](#advanced-configurations)\n - [All-in-One Example](#all-in-one-example)\n- [Creating YAML Rule Files](#creating-yaml-rule-files)\n- [Sigma Support](#sigma-support)\n - [Supported Sigma Categories](#supported-sigma-categories)\n - [Sigma to ETW Mapping](#sigma-to-etw-mapping)\n- [Configuration and Logs](#configuration-and-logs)\n- [Known Limitations / Caveats](#known-limitations--caveats)\n- [License](#license)\n- [FAQ (Frequently Asked Questions)](#faq-frequently-asked-questions)\n\n---\n\n## Features\n\n- **Userland-Only** \n No kernel drivers are required, ensuring minimal OS risk and simpler deployment.\n\n- **Real-Time Monitoring** \n Utilizes ETW to monitor file I/O, process creation/termination, registry events, DNS queries, network traffic, PowerShell scripts, and more.\n\n- **Multi-Format Detection Rules** \n - **YAML**: Allows correlating multiple event types using regex or other matching logic. \n - **Sigma**: Parses and applies Sigma rules for community-driven threat detection.\n\n- **Memory Scanning with YARA** \n Scans system memory using YARA rules to detect fileless or stealth malware.\n\n- **GUI / CLI Interfaces** \n Run via command-line or launch the GUI.\n\n---\n\n## Download Binary Version\n\nDownload compiled versions from [Release](https://github.com/JPCERTCC/YAMAGoya/releases).\n\n---\n\n## Build and Installation\n\n### Prerequisites\n\n- **.NET 6.0 or Later** \n Install the appropriate .NET SDK or runtime.\n- **NuGet Packages** \n - [Microsoft.Diagnostics.Tracing.TraceEvent](https://www.nuget.org/packages/Microsoft.Diagnostics.Tracing.TraceEvent/) \n - [YamlDotNet](https://www.nuget.org/packages/YamlDotNet/) \n - [System.Diagnostics.EventLog](https://www.nuget.org/packages/System.Diagnostics.EventLog/) \n - [MaterialDesignColors](https://www.nuget.org/packages/MaterialDesignColors/) \n - [MaterialDesignThemes](https://www.nuget.org/packages/MaterialDesignThemes/)\n - [Antlr4.Runtime.Standard](https://www.nuget.org/packages/Antlr4.Runtime.Standard/)\n - [DynamicExpresso.Core](https://www.nuget.org/packages/DynamicExpresso.Core/)\n\n### Command-Line Build\n\n0. Install NuGet Packages:\n ```bash\n dotnet add package Microsoft.Diagnostics.Tracing.TraceEvent\n dotnet add package YamlDotNet\n dotnet add package System.Diagnostics.EventLog\n dotnet add package MaterialDesignThemes\n dotnet add package MaterialDesignColors\n dotnet add package Antlr4.Runtime.Standard\n dotnet add package DynamicExpresso.Core\n ```\n\n1. **Clone** the repository:\n ```bash\n git clone https://github.com/JPCERTCC/YAMAGoya.git\n cd YAMAGoya\n ```\n2. **Build**:\n ```bash\n dotnet build\n ```\n3. (Optional) **Publish** a self-contained application:\n ```bash\n dotnet publish -c Release -r win-x64 -p:PublishTrimmed=false -o out\n ```\n\n---\n\n## How to Use\n\n### Command-Line\n\n#### Basic Usage\n\n```bash\nYAMAGoya.exe [options]\n```\n\n**Step 1: Prepare Your Environment**\n1. Ensure you have Administrator privileges (required for ETW session management)\n2. Prepare your detection rules:\n - For YAML rules: Create `.yaml` or `.yml` files in a folder\n - For Sigma rules: Place `.yml` Sigma rule files in a folder \n - For YARA rules: Create `.yar` or `.yara` files in a folder\n\n**Step 2: Start Session and Detection (Choose one method)**\n```bash\n# Method A: Sigma rules with comprehensive monitoring\nYAMAGoya.exe --session --sigma \"C:\\Rules\\Sigma\" --all\n\n# Method B: YARA memory scanning\nYAMAGoya.exe --session --yara \"C:\\Rules\\YARA\" --all\n```\n\n**Step 3: Configure Advanced Options (Optional)**\n```bash\n# Enable automatic process termination and verbose logging\nYAMAGoya.exe --session --detect \"C:\\Rules\" --all --kill --verbose\n\n# Custom logging configuration\nYAMAGoya.exe --session --detect \"C:\\Rules\" --all --log_path \"D:\\SecurityLogs\" --no_event_log\n\n# Set rule check interval to 30 seconds\nYAMAGoya.exe --session --detect \"C:\\Rules\" --all --check_interval 30\n```\n\n**Step 4: Stop Monitoring**\n```bash\n# Stop the ETW session\nYAMAGoya.exe --stop\n```\n\n#### Command-Line Options Reference\n\n| Option | Description |\n|---------------------------------|-----------------------------------------------------------------------------|\n| `--help, -h` | Show help message and exit. |\n| `--session, -s` | Start an ETW session named `\"YAMAGoya\"` (stops any existing session first). |\n| `--stop, -x` | Stop the active `\"YAMAGoya\"` ETW session. |\n| `--detect, -d \u003cfolder\u003e` | Load detection rules (YAML) from `\u003cfolder\u003e` and start detection. |\n| `--sigma, -si \u003cfolder\u003e` | Load and apply Sigma rules from `\u003cfolder\u003e` instead of YAML rules. |\n| `--yara, -y \u003cfolder\u003e` | Load and apply YARA rules from `\u003cfolder\u003e` for memory scanning. |\n| `--all, -a` | Enable monitoring for all event categories. |\n| `--file, -f` | Monitor file **creation** events. |\n| `--delfile, -df` | Monitor file **deletion** events. |\n| `--process, -p` | Monitor process creation and termination events. |\n| `--load, -l` | Monitor DLL load events. |\n| `--registry, -r` | Monitor registry key/value creation and modification events. |\n| `--open, -o` | Monitor process open events. |\n| `--dns, -n` | Monitor DNS queries and responses. |\n| `--ipv4, -i4` | Monitor IPv4 network traffic events. |\n| `--ipv6, -i6` | Monitor IPv6 network traffic events. |\n| `--powershell, -ps1` | Monitor PowerShell script block executions. |\n| `--shell, -sh` | Monitor shell events (e.g., RunKey, shortcuts). |\n| `--wmi, -w` | Monitor WMI command execution events. |\n| `--kill, -k` | Automatically terminate detected malicious processes. |\n| `--session_name \u003cname\u003e` | Set a custom name for the ETW session. |\n| `--no_text_log` | Disable logging to text files. |\n| `--no_event_log` | Disable logging to Windows Event Log. |\n| `--check_interval \u003cseconds\u003e` | Set the time interval (seconds) for rule correlation checks. |\n| `--log_path \u003cpath\u003e` | Set custom directory path for log files. |\n| `--verbose` | Enable verbose logging to the console. |\n\n \u003cdiv align=\"center\"\u003e\u003cimg src=\"images/cui.png\" width=\"600\"\u003e\u003c/div\u003e\n \n### GUI Usage\n\n1. Run `YAMAGoya.exe` with no arguments (or double-click the executable) to launch the GUI.\n2. The GUI provides a user-friendly interface with four main tabs:\n\n#### Main Tab\n- **Session Status Display**: Shows current ETW session status with color-coded indicators\n- **Rules Folder Selection**: Browse and select the folder containing your detection rules\n- **Start/Stop Detection**: Large buttons to begin and end monitoring operations\n\n#### Alert Monitoring Tab\n- **Real-time Alert Display**: Live monitoring of security alerts with timestamps\n- **Color-coded Alerts**: Detected threats are highlighted in red for immediate attention\n- **Log File Access**: Quick access to open the current log file\n\n#### Settings Tab\nConfigure advanced detection options:\n- **Kill Process Mode**: Automatically terminate detected malicious processes\n- **Rule Format Selection**: \n - Use Sigma rules (standardized threat detection)\n - Use custom YAML rules (custom correlation logic)\n- **YARA Memory Scanning**: Enable memory scanning with configurable interval (default: 1 hour)\n- **Logging Configuration**:\n - Event Log: Save alerts to Windows Event Log\n - Text Log: Save alerts to text files with custom directory path\n- **Custom ETW Session Name**: Set an ETW session name (default: YAMAGoya)\n\n#### Help Tab\n\n \u003cdiv align=\"center\"\u003e\u003cimg src=\"images/gui.png\" width=\"600\"\u003e\u003c/div\u003e\n\n \u003cdiv align=\"center\"\u003e\u003cimg src=\"images/gui2.png\" width=\"600\"\u003e\u003c/div\u003e\n \n---\n\n## Examples for Command-Line\n\n### Starting an ETW Session\n\n```bash\nYAMAGoya.exe --session\n```\n\n### Stopping an ETW Session\n\n```bash\nYAMAGoya.exe --stop\n```\n\n### Applying Detection Rules (YAML)\n\n```bash\nYAMAGoya.exe --session --detect .\\rules --all --kill --verbose\n```\n\n### Applying Detection Rules (Sigma)\n\n```bash\nYAMAGoya.exe --session --sigma C:\\sigma_rules --all\n```\n\n### Enabling Memory Scanning\n\n```bash\nYAMAGoya.exe --session --yara .\\yara_rules --all\n```\n\n### Monitoring Specific Event Types\n\n```bash\n# Monitor process creation and termination\nYAMAGoya.exe --session --detect .\\rules --process --verbose\n\n# Monitor DNS queries\nYAMAGoya.exe --session --detect .\\rules --dns --verbose\n\n# Monitor PowerShell script execution\nYAMAGoya.exe --session --detect .\\rules --powershell --verbose\n\n# Monitor WMI command execution\nYAMAGoya.exe --session --detect .\\rules --wmi --verbose\n\n# Monitor shell events (e.g., RunKey, shortcuts)\nYAMAGoya.exe --session --detect .\\rules --shell --verbose\n\n# Monitor network activities\nYAMAGoya.exe --session --detect .\\rules --ipv4 --ipv6 --verbose\n\n# Monitor file and registry operations\nYAMAGoya.exe --session --detect .\\rules --file --delfile --registry --verbose\n```\n\n### Logging Configuration\n\n```bash\n# Disable text log files but keep Windows Event Log\nYAMAGoya.exe --session --detect .\\rules --all --no_text_log\n\n# Disable Windows Event Log but keep text log files\nYAMAGoya.exe --session --detect .\\rules --all --no_event_log\n\n# Set custom log file path\nYAMAGoya.exe --session --detect .\\rules --all --log_path \"D:\\Logs\\YAMAGoya\"\n```\n\n### Advanced Configurations\n\n```bash\n# Custom ETW session name\nYAMAGoya.exe --session --session_name \"ForensicSession\" --detect .\\rules --all\n\n# Set rule check interval to 15 seconds\nYAMAGoya.exe --session --detect .\\rules --all --check_interval 15\n\n# Combined monitoring with custom session name and automatic process termination\nYAMAGoya.exe --session --session_name \"ThreatHunting\" --detect .\\rules --process --registry --file --kill\n```\n\n### All-in-One Example\n\n```bash\n# Comprehensive monitoring with all options\nYAMAGoya.exe --session --session_name \"ComprehensiveMonitoring\" --detect .\\rules --all --kill --verbose --check_interval 30 --log_path \"C:\\Logs\\YAMAGoya\"\n```\n\n---\n\n## Sigma Support\n\nYAMAGoya implements support for [Sigma](https://github.com/SigmaHQ/sigma), a generic signature format for describing detection rules. Sigma rules can be used instead of YAMAGoya's custom YAML rules by using the `--sigma` or `-si` command-line option.\n\n### Supported Sigma Categories\n\nThe following table shows which Sigma rule categories are currently supported by YAMAGoya:\n\n| Sigma Category | Supported | \n|----------------|:---------:|\n| create_remote_thread | ✓ |\n| create_stream_hash | - |\n| dns_query | ✓ |\n| driver_load | - |\n| file_access | ✓ |\n| file_block | - |\n| file_change | - |\n| file_delete | ✓ |\n| file_event | ✓ |\n| file_rename | - |\n| image_load | ✓ |\n| network_connection | ✓ |\n| pipe_created | - |\n| ps_classic_provider_start | - |\n| ps_classic_start | - |\n| ps_module | - |\n| ps_script | ✓ |\n| process_access | ✓ |\n| process_creation | ✓ |\n| process_tampering | - |\n| raw_access_thread | - |\n| registry_add | ✓ |\n| registry_delete | ✓ |\n| registry_event | ✓ |\n| registry_set | ✓ |\n| sysmon_error | - |\n| sysmon_status | - |\n| system | - |\n| wmi_event | ✓ |\n| webserver | - |\n\n### Sigma to ETW Mapping\n\nYAMAGoya translates Sigma categories to the appropriate ETW providers and event IDs. Here's how the supported categories are mapped:\n\n| Sigma Category | ETW Provider | Event IDs |\n|----------------|--------------|-----------|\n| create_remote_thread | Microsoft-Windows-Kernel-Audit-API-Calls | 5 |\n| dns_query | Microsoft-Windows-DNS-Client | 3000-3020 |\n| file_access | Microsoft-Windows-Kernel-File | 10, 12, 30 |\n| file_event | Microsoft-Windows-Kernel-File | 10, 11, 12, 30 |\n| file_delete | Microsoft-Windows-Kernel-File | 11 |\n| image_load | Microsoft-Windows-Kernel-Process | 5 |\n| network_connection | Microsoft-Windows-Kernel-Network | 1-16, 18, 42, 43 |\n| ps_script | Microsoft-Windows-PowerShell | 4104 |\n| process_access | Microsoft-Windows-Kernel-Process | 1 |\n| process_creation | Microsoft-Windows-Kernel-Process | 1 |\n| registry_add | Microsoft-Windows-Kernel-Registry | 1 |\n| registry_delete | Microsoft-Windows-Kernel-Registry | 3, 6 |\n| registry_event | Microsoft-Windows-Kernel-Registry | 1-7 |\n| registry_set | Microsoft-Windows-Kernel-Registry | 5 |\n| wmi_event | Microsoft-Windows-WMI-Activity | 1-50 |\n\n---\n\n## Creating YAML Rule Files\n\nTo create a detection rule in YAML format, follow the schema below. Each rule file should include:\n\n- **rulename**: A unique name for the rule.\n- **description**: A brief description of what the rule detects.\n- **rules**: A list of rule items. Each item must include:\n - **ruletype**: The type of rule (e.g., `regex`, `binary`, etc.).\n - **target**: The event category to match. Valid targets include:\n - **file**: File creation events.\n - **delfile**: File deletion events.\n - **process**: Process events.\n - **open** : OpenProcess.\n - **load**: DLL load events.\n - **registry**: Registry events.\n - **dns**: DNS events.\n - **ipv4**: IPv4 network events.\n - **ipv6**: IPv6 network events.\n - **shell**: Shell-related events (RunKey, shortcuts).\n - **powershell**: PowerShell execution events.\n - **wmi**: WMI command execution events.\n - **rule**: The pattern or value to match (for regex rules, a valid regular expression).\n\nExample YAML rule file:\n\n```yaml\nrulename: \"MalwareExecutionDetection\"\ndescription: \"Detects suspicious malware execution patterns.\"\nrules:\n - ruletype: \"regex\"\n target: \"process\"\n rule: \"^malicious_exe\\\\.exe$\"\n - ruletype: \"regex\"\n target: \"file\"\n rule: \".*\\\\.(exe|dll)$\"\n - ruletype: \"binary\"\n target: \"file\"\n rule: \"2E 65 78 65\"\n```\n\n**Steps:**\n\n1. Create a new file with a `.yaml` or `.yml` extension.\n2. Copy and customize the sample structure.\n3. Save the file in your designated rules folder.\n\n---\n\n## Configuration\n\n- **`Config.cs`**: \n - `sessionName`: Default ETW session name \n - `isTextLog` and `logDirectory`: Enable text logging and specify the log directory\n - `logDateFormat`: Date format string used in log file names (default: \"yyyy-MM-dd\")\n - `logFileNameFormat`: Naming pattern for log files (default: \"yamagoya_{0}.log\")\n - `isEventLog` and `eventLogSource`: Enable Windows Event Log logging and set the source name\n - `checkInterval`: Time interval (in seconds) used for rule correlation and state resetting for custom YAML rules\n - `memoryScanInterval`: Time interval (in hours) for YARA memory scanning operations\n - `logLevel`: Controls verbosity of logging (Debug, Info, Warning, Error)\n\n- **System Tray**:\n - Minimizing the application sends it to the system tray\n - Double-click the tray icon to restore the window\n - Right-click the tray icon for a context menu with Open and Exit options\n\n---\n\n## Known Limitations / Caveats\n\n1. **Elevated Privileges**: Administrator rights are necessary for managing ETW sessions, writing to the Windows Event Log, terminating processes, etc.\n2. **Performance Overhead**: Monitoring multiple providers or high event volumes may result in significant log output; adjust your rules accordingly.\n3. **ETW Bypass**: Advanced malware may bypass userland detection methods. Consider complementing with kernel-level or network-based solutions.\n4. **Sigma Category Support**: Not all Sigma categories are currently supported. See the [Supported Sigma Categories](#supported-sigma-categories) section for details.\n\n---\n\n## License\n\nSee the [LICENSE](LICENSE.txt) file for details.\n\n---\n\n## FAQ (Frequently Asked Questions)\n\n### General Questions\n\n**Q: What types of malware can YAMAGoya detect?** \nA: YAMAGoya can detect a wide range of malware including fileless malware, remote access trojans, backdoors, and other malicious software that exhibits suspicious behavior traceable through ETW events. The detection scope depends on the rules you configure. However, by default, no rules are set in YAMAGoya to detect it, so you need to prepare Sigma or YARA rules.\n\n**Q: Does running YAMAGoya impact system performance?** \nA: YAMAGoya is designed to minimize performance impact, but monitoring multiple ETW providers simultaneously can consume system resources. For optimal performance with minimal overhead, consider enabling only the necessary event categories for your use case.\n\n**Q: Can YAMAGoya replace my antivirus software?** \nA: No, YAMAGoya is intended as a complementary tool for advanced threat detection and analysis. It works best alongside traditional antivirus solutions as part of a defense-in-depth strategy.\n\n### Technical Questions\n\n**Q: I'm getting \"Failed to start the ETW session\" errors when starting an ETW session. What should I do?** \nA: YAMAGoya requires administrative privileges to manage ETW sessions. Make sure to run the application as an administrator (right-click → Run as administrator).\n\n**Q: How do I minimize false positives?** \nA: Tune your rules carefully and iteratively. Start with more specific patterns, test in your environment, and gradually refine rules. For Sigma rules, consider adjusting the confidence or severity thresholds to match your risk tolerance.\n\n**Q: What's the difference between YAML and Sigma rule formats?** \nA: YAMAGoya's custom YAML rules allow for flexible event correlation across different ETW providers. \n\n**Q: Where can I find sample rules to get started?** \nA: The [Sigma GitHub repository](https://github.com/SigmaHQ/sigma) and [YARA rule GitHub repositories](https://github.com/InQuest/awesome-yara?#rules) offer extensive collections of community-maintained rules.\n\n**Q: How frequently should I scan with YARA rules?** \nA: The default scan interval is 1 hour, which balances detection effectiveness with system performance. Adjust based on your security requirements and system capacity. High-risk environments might benefit from more frequent scanning.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjpcertcc%2Fyamagoya","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjpcertcc%2Fyamagoya","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjpcertcc%2Fyamagoya/lists"}