Switching from yara to yara-x

October 22, 2025 · 2 min read

GriffonAV co-founder

report n°001 | 2025-10-22

Context

The yara library is a library written in C that allows pattern matching YARA rules on text in a file.

It is at the heart of our static detection module and is the most computationally intensive part of the module. It is therefore crucial that it be as efficient as possible.

The original choice

We originally planned to use "yara" because we had the C skills to use it and because it is possible to use code written in C with Rust.

A first POC was created in C, demonstrating the library's usefulness.

The yara-x alternative

yara-x is a rewrite of the yara library in Rust. It shares most of the capabilities of the Yara library, written in C. Both libraries are developed and maintained by the same entity, "VirusTotal."

Reason for the change

First, VirusTotal, the official maintainer of the Yara library, announced that the Yara library will no longer be updated except in the event of a vulnerability, and that instead, the Rust rewrite, yara-x, will benefit from active development.

Secondly, it is healthier for the project to limit the use of multiple languages when a native Rust alternative exists.

Finally, according to the official maintainer, yara-x benefits from better performance than yara.

Context​

The original choice​

The yara-x alternative​

Reason for the change​

Context

The original choice

The yara-x alternative

Reason for the change