Updated: Oct 23, 2019 by Pradeep Gowda.

YARA - The pattern matching swiss knife for malware researchers

XProtect on macOS uses YARA to match known malicious software. The database is at /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara

On Mac OSX: see also: /System/Library/PrivateFrameworks/yara.framework and man yara

Yara can be integrated with radare2[1], the reverse engineering framework and toolset. The integration will allow you to apply and generate YARA signatures from within. There are two plugins - to use radare2 from Yara[2], and Yara from radare2[3]. The second one you can install using the embedded r2 package manager: r2pm -i yaravia

On github: Google search with site:github.com filetype:yar

[1] https://github.com/radareorg/radare2

[2] https://r2yara.readthedocs.io/en/latest/

[3] https://github.com/radareorg/radare2-extras/tree/master/yara