Able to spot unwelcome changes to files or detect tell-tale patterns (Social Security numbers, administrative credentials, and so on) in unwelcome places (like outgoing email attachments), Yara is a powerful tool with a seemingly endless number of uses. There are limits to signature-based detection, so it would be a bad idea to rely on Yara exclusively to find malicious files. But considering its flexibility, missing out on this tool would not be a good idea, either.
OSquery to query the endpoint for system state
Imagine if locating malicious processes, rogue plugins, or software vulnerabilities in your Windows, MacOS, and Linux endpoints were a simple matter of writing a SQL query. That’s the idea behind OSquery, an open source tool from Facebook engineers that collects operating system information such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events, and file hashes into a relational database. If you can write a SQL query, that’s all you need to get answers to security questions—no complex code required.
For example, the following query would find all processes listening on network ports:
