{"id":6301,"library":"yara-x","title":"YARA-X Python Bindings","description":"YARA-X is a rewrite of YARA in Rust, designed for faster, safer, and more user-friendly pattern matching, primarily for malware research. It aims to replace the original YARA as the default tool. This library provides official Python bindings for YARA-X, supporting Python 3.9+ on Linux, macOS, and Windows. Releases are frequent, with new versions often appearing monthly.","status":"active","version":"1.15.0","language":"en","source_language":"en","source_url":"https://github.com/VirusTotal/yara-x","tags":["pattern-matching","cybersecurity","forensics","malware"],"install":[{"cmd":"pip install yara-x","lang":"bash","label":"Install YARA-X"}],"dependencies":[],"imports":[{"note":"YARA-X is a distinct library from the original YARA-Python. The module name is `yara_x`, not `yara`.","wrong":"import yara","symbol":"yara_x","correct":"import yara_x"}],"quickstart":{"code":"import yara_x\n\nrules_source = '''\nrule example_rule {\n  strings:\n    $a = \"foobar\"\n  condition:\n    $a\n}\n'''\n\n# Compile the rules\nrules = yara_x.compile(rules_source)\n\n# Scan data\ndata_to_scan = b\"This is some data containing foobar for testing.\"\nresults = rules.scan(data_to_scan)\n\nif results:\n    print(f\"Matches found: {results}\")\nelse:\n    print(\"No matches.\")\n\n# Example with a Compiler object for more complex scenarios\ncompiler = yara_x.Compiler()\ncompiler.add_source(rules_source, origin=\"my_rules\")\ncompiled_rules_obj = compiler.build()\n\nscan_results_obj = compiled_rules_obj.scan(b\"Another foobar string.\")\nif scan_results_obj:\n    print(f\"Matches found with Compiler: {scan_results_obj}\")\n","lang":"python","description":"This quickstart demonstrates compiling YARA-X rules from a string and then scanning data. It covers both the simple `yara_x.compile()` function and using the `Compiler` object for more advanced scenarios like managing namespaces."},"warnings":[{"fix":"Review and update YARA rules to conform to stricter regex syntax. The `Compiler` object has a `relaxed_re_syntax` argument that can be set to `True` to mimic YARA's behavior, but this is generally not recommended for new rules.","message":"YARA-X enforces stricter regular expression syntax compared to the original YARA. Certain constructs that YARA previously accepted (e.g., invalid escape sequences treated as literals, unescaped special characters inferred from context) will now raise compilation errors in YARA-X.","severity":"breaking","affected_versions":"All YARA-X versions"},{"fix":"Always use `import yara_x`. Consult the YARA-X Python documentation for API specifics and any behavioral changes compared to `yara-python`.","message":"YARA-X is a completely new implementation (in Rust) and is not a drop-in replacement for the `yara-python` library. The Python module is imported as `yara_x`, not `yara`. Users migrating from `yara-python` will need to update import statements and be aware of API differences, though the core compilation and scanning workflow is similar.","severity":"gotcha","affected_versions":"All YARA-X versions"},{"fix":"Familiarize yourself with the `yara_x` scan result object structure, particularly how matched strings are represented, as it differs from both old and new `yara-python` versions.","message":"The behavior of the `strings` field in the `Match` object significantly changed in `yara-python` versions 4.3.0 and later (from an array of tuples to `yara.StringMatch` objects). While this is specific to `yara-python`, users familiar with that library's older API might incorrectly expect similar `Match` object structures or behaviors when adapting to YARA-X. YARA-X's match result structure is different.","severity":"gotcha","affected_versions":"N/A (applies to yara-python, but a common migration footgun)"}],"env_vars":null,"last_verified":"2026-04-14T00:00:00.000Z","next_check":"2026-07-13T00:00:00.000Z"}