{"id":4862,"library":"yara-python","title":"YARA Python Interface","description":"yara-python is the official Python interface for YARA, a pattern matching tool used by security researchers to identify and classify malware. It provides bindings to the YARA C library, allowing Python applications to compile and apply YARA rules. The library is actively maintained, with new versions (currently 4.5.4) typically released in conjunction with updates to the underlying YARA engine.","status":"active","version":"4.5.4","language":"en","source_language":"en","source_url":"https://github.com/VirusTotal/yara-python","tags":["security","malware","reverse-engineering","pattern-matching","forensics"],"install":[{"cmd":"pip install yara-python","lang":"bash","label":"Install stable version"}],"dependencies":[],"imports":[{"symbol":"yara","correct":"import yara"}],"quickstart":{"code":"import yara\n\n# Compile a YARA rule from a string\nrules = yara.compile(source='rule foo: bar { strings: $a = \"lmn\" condition: $a }')\n\n# Scan some data\ndata_to_scan = b'abcdefgjiklmnoprstuvwxyz'\nmatches = rules.match(data=data_to_scan)\n\n# Process matches\nif matches:\n for match in matches:\n print(f\"Rule: {match.rule}, Tags: {match.tags}\")\n # In YARA-Python 4.3.0+, match.strings is a list of yara.StringMatch objects\n for s in match.strings:\n print(f\" String: {s.identifier} at offset {s.instances[0].offset} with data '{s.instances[0].matched_data.decode()}'\")\nelse:\n print(\"No matches found.\")","lang":"python","description":"This quickstart demonstrates how to compile a simple YARA rule from a string and then apply it to scan binary data. It shows how to access the matched rule's name, tags, and details about the matched strings, including their identifiers, offsets, and data."},"warnings":[{"fix":"Update code iterating over `match.strings`. Instead of direct tuple unpacking, access attributes like `s.identifier`, `s.instances[0].offset`, and `s.instances[0].matched_data` on the `yara.StringMatch` and `yara.StringMatchInstance` objects.","message":"The structure of the `yara.Match.strings` field changed in version 4.3.0. Previously, it was a list of tuples `(, , )`. It is now a list of `yara.StringMatch` objects, which in turn contain `yara.StringMatchInstance` objects for actual matches.","severity":"breaking","affected_versions":">=4.3.0"},{"fix":"Before `pip install yara-python`, install YARA and its development packages (e.g., `libyara-dev`, `python3-dev`, `gcc` on Debian/Ubuntu, or `yara` via Homebrew on macOS).","message":"On Linux and macOS, `pip install yara-python` may fail unless the YARA C library and its development headers are pre-installed via the system's package manager. This is because `yara-python` is a wrapper around the C library and often needs to compile against it if a pre-built wheel is not available for your specific platform/Python version.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Upgrade to `yara-python` version 4.4.0 or later to ensure memory stability when working with `StringMatchInstance` objects.","message":"Versions 4.3.x had a memory leak and potential heap corruption issue related to incorrect reference counting when calling `yara.StringMatchInstance.plaintext()` without an XOR key. This was fixed in YARA-Python 4.4.0.","severity":"gotcha","affected_versions":"4.3.0 - 4.3.1"},{"fix":"Use `yara.compile()` for human-readable rule files (.yara, .yar) or rule strings, and `yara.load()` only for binary pre-compiled rule files. Using `load()` on a text rule file will result in an error.","message":"There's a distinction between `yara.compile()` and `yara.load()`. `yara.compile()` processes YARA rule source code (from strings, files, or file paths). `yara.load()` is used to load *pre-compiled* YARA rule files (typically with a `.yarac` extension) that have been previously saved using `rules.save()`.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-12T00:00:00.000Z","next_check":"2026-07-11T00:00:00.000Z"}