If you are infected with a rootkit moving YARA into the kernel is not an answer 
since the rootkit has full access to muck around with YARA even if it is in the 
kernel.

My recommendation is don't run YARA on a system which is potentially 
compromised with a rootkit like you describe. If the kernel of the system is 
compromised you can no longer trust it.

Sure, it's possible to put YARA in the kernel but it isn't going to get you 
anything if your concern is rootkits.

-- WXS

> On Mar 18, 2016, at 1:19 AM, 慎增刘 <shenzeng....@gmail.com> wrote:
> 
> Yara is so powerful in malware matching. Sometimes people want to check files 
>  , which attached to file-systems hooks. So how about importing yara ( or 
> just libyara ) into linux kernel?  Is it possible? Is there some advices?  
> Thanks for each response.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to