YARA is a malware identification and classification tool using pattern-matching rules. Rules contain strings (ASCII, hex, regex) and conditions that match against files or memory.
YARA rules are shareable threat intelligence. Used in EDR, sandbox, email gateways, and SIEM for malware detection. VirusTotal supports YARA hunting. Writing good YARA rules: focus on malware-unique strings, avoid common library code to reduce false positives.