I use yara for real time screening in Django rest and it’s super fast and easy, Airbnb open sourced binary alert which is a cool serverless implementation.

https://github.com/airbnb/binaryalert

The part of the docs i want to skim to see what it does is nicely on one page: https://yara.readthedocs.io/en/stable/writingrules.html

Yara happens to power XProtect, macOS’s malware detection tool. It’s production-ready ;)

Yes, XProtect is deployed to all macs, but XProtect has a very small [1] number of signatures (~four dozen), compared to any windows AV engine (which would have thousands of signatures at a minimum.) This can't be because only four dozen possible malware families affect macOS, but we can speculate that it is either a performance issue (good sigs are costly [CPU/io]), a signature writing issue (Apple needs more malware peeps), or an image issue (if Apple put 10k signatures in XProtect, it would be admitting that 10k families of malware exist for macOS.)

IMO, Apple needs to improve the macOS malware detection situation before we consider their implementation 'production ready.'

[1] Official XProtect configuration: https://configuration.apple.com/configurations/macosx/xprote...

YARA has been a pleasure to work with ever since i switch from IDA with sigmaker to Ghidra with YaraGhidraGUI.

Really made me think of how to actually make patterns match asm by hand when needed.