If you are infected with a rootkit moving YARA into the kernel is not an answer since the rootkit has full access to muck around with YARA even if it is in the kernel.
My recommendation is don't run YARA on a system which is potentially compromised with a rootkit like you describe. If the kernel of the system is compromised you can no longer trust it. Sure, it's possible to put YARA in the kernel but it isn't going to get you anything if your concern is rootkits. -- WXS > On Mar 18, 2016, at 1:19 AM, 慎增刘 <shenzeng....@gmail.com> wrote: > > Yara is so powerful in malware matching. Sometimes people want to check files > , which attached to file-systems hooks. So how about importing yara ( or > just libyara ) into linux kernel? Is it possible? Is there some advices? > Thanks for each response. > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to yara-project+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to yara-project+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.