A minimalistic cross-platform malware scanner with non-blocking realtime filesystem monitoring using YARA rules.

Related tags

Cryptography virus scanner malware signature signatures yara
Overview

Sauron is a minimalistic, YARA based malware scanner with realtime filesystem monitoring written in Rust.

Features

  • Realtime scan of created and modified files supporting Linux inotify, macOS FSEvents, Windows ReadDirectoryChanges and polling for other platforms.
  • YARA engine complete support.
  • Single scan mode to scan a folder, report results and exit.
  • Parallel scanning using a configurable thread pool.
  • Log, text and JSON reporting.

Known Limitations

Due to the filesystem monitoring mechanism, Sauron is extremely lightweight and non invasive as more sophisticated AV solutions, however this comes with the following limitations:

  • Scanning files with an exclusive lock by other processes will likely fail with a Permission Denied error.
  • Malicious files creation and execution won't be blocked but just reported.
  • Fileless malware won't be detected.
  • Detected files won't be linked to originating processes.

Building

cargo build --release

Dependencies

Your system must have libssl-dev installed. For Ubuntu-derivatives this can be installed via sudo apt install libssl-dev.

Running

Assuming you have your YARA rules in ./yara-rules (you can find plenty of free rules online):

sudo ./target/release/sauron --rules ./yara-rules

screenshot

Single Scan

Alternatively you can perform a one-time recursive scan of the specified folder using the --scan argument:

sudo ./target/release/sauron --rules ./yara-rules --scan --root /path/to/scan

You can specify which file extensions to scan (all by default) with the --ext argument:

sudo ./target/release/sauron \
    --rules ./yara-rules \
    --scan \
    --root /path/to/scan \
    --ext exe \
    --ext elf \
    --ext doc \
    --ext docx

Reporting

Various options are available for reporting:

  • --report-clean will also report clean files.
  • --report-errors explicitly report errors (reported as debug logs by default).
  • --report-output <FILENAME> will write scan reports to a file.
  • --report-json if --report-output is passed, write as JSON instead of text.

Other options

Run sauron --help for the complete list of options.

License

This project is made with by @evilsocket and it is released under the GPL3 license.

You might also like...
Cross-platform Secure TUI Secret Locker
Cross-platform Secure TUI Secret Locker

SafeCloset keeps your secrets in password protected files. SafeCloset is designed to be convenient and avoid common weaknesses like external editing o

Canop 63 Dec 26, 2022
DexiosGUI - Simple cross-platform drag-and-drop Dexios file encryption
DexiosGUI - Simple cross-platform drag-and-drop Dexios file encryption

DexiosGUI Simple cross-platform drag-and-drop Dexios file encryption. Latest Windows x64 release is here. DexiosGUI is a Qt/C++ app for encrypt and de

Fabrice Corraire 4 Jul 25, 2022
Cross-platform atomic wait and wake (aka futex) functionality for Rust.

Cross platform atomic wait and wake (aka futex) functionality. This crate only supports functionality that's available on all of Linux, Windows, and m

Mara Bos 38 Dec 15, 2022
A simple to use, cross-platform aes encryption

About Project End to End encryption (AES) for multiple languages (cross-platform) with CBC Icon Item 🥳 Upcoming ⚖️ License 📝 ChangeLog Usage (rust)

Zot Cryptography 2 Dec 15, 2022
A fast, simple and powerful open-source cross platform utility tool for generating strong, unique and random passwords

password-generator-pro A fast, simple and powerful open-source cross platform utility tool for generating strong, unique and random passwords. Feature

Sebastien Rousseau 3 Dec 16, 2022
CLI password manager with encryption: AES256, Salsa20 and Chacha20, with cross platform and exclusive features
CLI password manager with encryption: AES256, Salsa20 and Chacha20, with cross platform and exclusive features

Keep My House (CLI) CLI password manager with encryption: AES256, Salsa20 and Chacha20, with cross platform and exclusive features Features AES256 GCM

null 4 Sep 7, 2023
Cross-platform user interface framework for Rust.

Viewbuilder Examples Cross-platform user interface framework for Rust. This crate provides an HTML-like render API for the backend of a UI. It's built

null 18 Sep 26, 2023
A Peer-to-Peer cross-platform clipboard syncing tool.

p2p-clipboard p2p-clipboard is a Peer-to-Peer cross-platform clipboard syncing tool. It enables users to synchronize clipboard contents across multipl

null 3 Feb 28, 2024
Built on the Substrate-based runtime, this repository develops the Paralink Network, a cross-chain Oracle platform for secure and scalable data integration. Our goal is to create a robust infrastructure that ensures efficient and reliable data transmission across blockchain networks.
Built on the Substrate-based runtime, this repository develops the Paralink Network, a cross-chain Oracle platform for secure and scalable data integration. Our goal is to create a robust infrastructure that ensures efficient and reliable data transmission across blockchain networks.

Getting Started This repository contains Substrate based runtime for Paralink Network. Makefile This project uses a Makefile to document helpful comma

hylcore 4 Aug 14, 2024
Comments
  • Compile sauron on Debian 11 fails (workaround)

    Compile sauron on Debian 11 fails (workaround)

    Rust version on Debian 11 to old => compile fails.

    Workaround:

    Install newer version of rust and some dependencies as follows

    git clone https://github.com/evilsocket/sauron.git
cd sauron
sudo apt remove rustc-mozilla
sudo apt install curl build-essential gcc make libssl-dev libclang1 clang -y
# local user install of rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | s
source "$HOME/.cargo/env"
cargo build --release
    opened by tietjen 0
Owner
Simone Margaritelli
Simone Margaritelli
GitHub
Converts a MO loadorder to loot rules for manual loadorders

lootifier Converts a Mod Organizer loadorders to loot rules for manual loadorders Long Description This tool is meant for people who want to share mod

alsa 4 Nov 12, 2022
ARYA Network is a polkadot/substrate based chain for Non-fungible Token platform on which we can own sell and buy the NFT's on polkadot network.

ARYA Network ARYA Network is a polkadot/substrate based chain for Non-fungible Token platform on which we can own sell and buy the NFT's on polkadot n

Pankaj Chaudhary 6 Dec 20, 2022
Rusty Hog is a secret scanner built in Rust for performance, and based on TruffleHog which is written in Python.

Rusty Hog is a secret scanner built in Rust for performance, and based on TruffleHog which is written in Python. Rusty Hog provides the following bina

New Relic 306 Jan 4, 2023
This is my home environment setup for monitoring temperature and humidity

Home EnViroNment Motivation This is my IoT temperature and humidity monitoring solution for where i live. I found it cheaper to go buy sensors and hoo

Fredrik 1 Jan 5, 2022
Ingraind - a security monitoring agent built around RedBPF for complex containerized environments and endpoints.

ingraind is a security monitoring agent built around RedBPF for complex containerized environments and endpoints. The ingraind agent uses eBPF probes to provide safe and performant instrumentation for any Linux-based environment.

KingoOo 5 Apr 6, 2022
Minimalistic governance & ledger toolkit for cold wallets

Minimalistic ledger and governance toolkit for cold wallets.

DFINITY 66 Dec 20, 2022
Minimalistic EVM-compatible chain indexer.

EVM Indexer Minimalistic EVM-compatible blockchain indexer written in rust. This repository contains a program to index helpful information from any E

Kike B 14 Dec 24, 2022
Minimalistic EVM-compatible chain indexer.

EVM Indexer Minimalistic EVM-compatible blockchain indexer written in rust. This repository contains a program to index helpful information from any E

LlamaFolio 11 Dec 15, 2022
A Minimalistic Rust library to extract all potential function selectors from EVM bytecode without source code.

EVM Hound A Minimalistic Rust library to extract all potential function selectors from EVM bytecode without source code. Installation $ cargo add evm_

null 34 Dec 3, 2023
The protocol are designed and made for the future of cross-IP, cross-chain metaverse.

Avatar-protocol 化身协议 This project demonstrates how to use the Solana Javascript API to interact with programs on the Solana blockchain. The project co

Wind-protocol 1 Jan 10, 2022