The tests view helps making sure the Yara rules are working. It allows to bring up various types of test items, including:
- Processes (to scan process memory)
- Files (filesystem scan)
- Folders
- Strings (both ANSI and Unicode)
Important Note: To be able to run tests, you need to have validated syntax of a compilation set in the Editor.
When your test items are ready, hit the “Scan Items” button to start the tests. Upon completion, all results are displayed in “Results” tab.
When a test item is matching one of the rules of the compilation set, it will display with pink background, and will tell how many rules are matching.
Matches can be expanded to reveal the rule information, including tags and metas.