Feature flags of YARA-X crate // Lib.rs

Cargo Features

[dependencies]
yara-x = { version = "0.10.0", default-features = false, features = ["constant-folding", "exact-atoms", "fast-regexp", "protoc", "logging", "native-code-serialization", "parallel-compilation", "rules-profiling", "x509-parser-verify", "console-module", "cuckoo-module", "dotnet-module", "elf-module", "hash-module", "lnk-module", "macho-module", "magic-module", "math-module", "pe-module", "string-module", "test_proto2-module", "test_proto3-module", "text-module", "time-module"] }

constant-folding default

Enables constant folding. When constant folding is enabled, expressions like 2+2+2 and true or false, whose value can be determined at compile time, will be reduced to its final value, instead of producing code that actually computes the expression.

exact-atoms default

Enables the use of exact atoms for speeding up matches. Exact atoms are those that don't require further verification, the sole presence of the atom indicates that the pattern containing the atom matches. For instance, in pattern /abc(d|e)/, the atom "abcd" is an exact atom, by finding the atom "abcd" we can be sure that the whole regexp matches. However, the atom "abc"
is not exact, finding "abc" is not enough, the regexp must be evaluated in order to verify if it matches. If this feature is not enabled exact atoms are treated as standard (non-exact) atoms.

fast-regexp default

Enables the use of FastVM for matching regular expression, as an alternative to PikeVM. This feature is enabled by default, and its purpose is disabling the fast regexp matching mechanism for testing purposes.

protoc

Whether to use protoc for parsing and compiling .proto files. By default, .proto files are parsed and compiled by the pure-Rust compiler implemented by the rust-protobuf crate. With this feature you can change this behavior and use protoc, the official Protocol Buffer compiler. You'll need to have protoc installed in your system, together with the protoc-gen-rust plugin. Follow the instructions in: https://lib.rs/crates/protobuf-codegen3

logging rules-profiling?

Enables debug logs.

Enables log and quanta

native-code-serialization

When enabled, the serialization of compiled rules include native code for the platform in which the rules where compiled. This reduces the load time,
as the native code is already included in the serialized rules and doesn't need to be generated. In the other hand, it increases the size of the serialized rules. If rules that were serialized with native code for one platform are deserialized in a different platform, the native code included in the serialized rules is ignored and generated again for the current platform.

This feature is disabled by default.

parallel-compilation

Enables parallel compilation of WASM code. When compiling large number of rules this noticeable reduces compilation time. However, this creates new threads, which can be problematic in some scenarios. See: https://github.com/VirusTotal/yara-x/issues/182

This feature is disabled by default.

Enables parallel-compilation of wasmtime ^25.0.2

rules-profiling = logging

Enables rules profiling. When this is enabled together with logging the logs will contain information about the most expensive rules after each scan. Notice that profiling itself has a noticeable impact on performance.

Enables quanta

Affects scanner::ProfilingData…

x509-parser-verify

When enabled use the logic included in the x509-parser crate for verifying certificates. If not enabled we use our ouwn logic. This is disabled by default.

Enables verify of x509-parser

console-module default

Features for enabling/disabling modules.

For each module we have a <module name>-module feature that controls whether a given module is built or not. For instance, if the feature foo-module is enabled, the module foo will be built into YARA.

The console module exports functions for printing text from YARA rules.

cuckoo-module default

The cuckoo module parses behaviour reports from the Cuckoo Sandbox https://cuckoosandbox.org/

The use of this module is currently discouraged. It is here for backward compatibility with YARA, but it won't be actively maintained or improved as the Cuckoo Sandbox seems to be abandoned since 2017.

dotnet-module default = pe-module

The dotnet module parses .NET files.

Enables nom

elf-module default

The elf module parses ELF files.

Enables md-5, nom, and tlsh-fixed

hash-module default

The hash module provides functions for computing md5, sha1, sha-256, crc32 and checksum.

Enables crc32fast, md-5, sha1, and sha2

lnk-module default

The lnk module parses LNK files.

Enables nom and uuid

macho-module default

The macho module parses Mach-O files.

Enables nom and roxmltree

magic-module

The magic allows recognizing file types based on the output of the Unix file command. This feature is disabled by default.

Enables magic

math-module default

The math module.

pe-module default dotnet-module

The pe module parses PE files.

Enables const-oid, der-parser, digest, dsa, ecdsa, md-5, md2, nom, p256, p384, rsa, sha1, sha2, and x509-parser

string-module default

The string modules offer some functions for parsing strings as integers, determining a string length, etc.

test_proto2-module default

Test modules to be used only in test cases.

test_proto3-module default

text-module

The text module is an example module described in the Module's Developer Guide. Not very useful in real life.

Enables lingua

time-module default

The time module allows you to retrieve epoch in seconds that can be used in conditions of a rule to check against other epoch time.

default = console-module, constant-folding, cuckoo-module, dotnet-module, elf-module, exact-atoms, fast-regexp, hash-module, lnk-module, macho-module, math-module, pe-module, string-module, test_proto2-module, test_proto3-module, time-module

Features that are enabled by default.