The script is designed as an aid to scanning multiple files using one or more *.yar or *.yara files each containing one or more YARA rules.

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples.

The script provides the option to scan selected items in the current user view (does not work with records), all and tagged items.

An internal condition can be used to further control processing. For example, it can be used to target *.exe and *.dll files.

In order to operate, the script uses the libyara.NET API, which in turn wraps the YARA C API.

This necessitates the use of several DLL files, which must be placed in the same folder as the script. If the script has been downloaded from the Internet, it's likely that these files will need to be unblocked using the Windows Explorer property dialog otherwise an error will occur when running the script. 

Each file processed by the script is sent to the .NET API as a memory stream. The results are converted to JSON before being streamed back to the EnScript for interpretation and bookmarking.

Due to this mode of operation, the script will not attempt to process deleted files or those larger than 2GB in size.

Accordingly, the script is not suited to processing RAM dumps, pagefile.sys or hiberfil.sys.

The fast scanning option makes scanning a little faster by avoiding multiple matches of the same string when not necessary. Once a string has been found in a file it’s subsequently ignored, which will result in a single match for the string, even if it appears multiple times in the scanned data.

Output is by way of the console, bookmarks, and optionally, JSON files written to a nominated export folder.

It should be noted that data found as a result of string searching will be Base64 encoded in each JSON output file.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training