YARA v4.2.0

• New syntax for counting string occurrences within a range of offsets. Example: #a in (0..100) (#1565).
• New syntax for checking if a set of strings are found within a range of offsets all of them in (0..100) (#1554).
• of operator now accepts sets of rules, Examples: 2 of (rule1, rule2, rule3), 2 of (rule*) (##1597)
• New syntactic sugar allows writing 0 of ($a) as none of ($a*) (#1559).
• New operator % for string sets. Example: 20% of them (#1434).
• New operator defined (#1529).
• New operator iequals (#1536).
• Added functions abs, count, percentage and mode to math module (#1483).
• The dotnet module is now built into YARA by default.
• Added the is_dotnet field to dotnet module (#1568).
• Added new console module (#1594).
• Added support of delayed imports to pe module (#1523).
• Reduce memory pressure when scanning process memory in Linux (#1470).
• Improve performance while matching certain hex strings (#1526, #1552).
• Implement support for unicode file names in Windows (#1491).
• Add new API functions yr_get_configuration_uintXX and yr_set_configuration_uintXX (#1621).
• Add --max-process-memory-chunk option for controlling the size of the chunks while scanning a process memory (#1393).
• Add --skip-larger option for skipping files larger than a certain size while scanning directories.
• Improve scanning performance with better atom extraction (#1656).
• BUGFIX: fullword modifier not working properly under all locales (#1544).
• BUGFIX: Fix edge case when files have a numeric name that was interpreted as a PID number (#1541).
• BUGFIX: Fix memory leaks in magic module.
• BUGFIX: Fix integer overflow while scanning files larger than 2GB (#1615).

Thanks to @wxsBSD, @secDre4mer, @regeciovad, @ladislav-zezula, @hillu, @xbabka01, @LearnToGetBetter, @vlaci, @HoundThe

YARA v4.2.0-rc1

• New syntax for counting string occurrences within a range of offsets. Example: #a in (0..100) (#1565).
• New syntax for checking if a set of strings are found within a range of offsets all of them in (0..100) (#1554).
• of operator now accepts sets of rules, Examples: 2 of (rule1, rule2, rule3), 2 of (rule*) (##1597)
• New syntactic sugar allows writing 0 of ($a) as none of ($a*) (#1559).
• New operator % for string sets. Example: 20% of them (#1434).
• New operator defined (#1529).
• New operator iequals (#1536).
• Added functions abs, count, percentage and mode to math module (#1483).
• Added new console module (#1594).
• Added support of delayed imports to pe module (#1523).
• Reduce memory pressure when scanning process memory in Linux (#1470).
• Improve performance while matching certain hex strings (#1526, #1552).
• Implement support for unicode file names in Windows (#1491).
• Add new API functions yr_get_configuration_uintXX and yr_set_configuration_uintXX (#1621).
• Add --max-process-memory-chunk option for controlling the size of the chunks while scanning a process memory (#1393).
• Add --skip-larger option for skipping files larger than a certain size while scanning directories.
• BUGFIX: fullword modifier not working properly under all locales (#1544).
• BUGFIX: Fix edge case when files have a numeric name that was interpreted as a PID number (#1541).
• BUGFIX: Fix memory leaks in magic module.

Thanks to @wxsBSD, @secDre4mer, @regeciovad, @ladislav-zezula, @hillu, @xbabka01, @LearnToGetBetter

YARA v4.1.3

BUGFIX: Fix issue where ERROR_TOO_MANY_MATCHES was incorrectly returned (6085d3f).
BUGFIX: Fix potential buffer overrun due to incorrect macro (d5c83c6).

YARA v4.1.2

BUGFIX: TOO_MANY_MATCHES warning was causing strings to be globally disabled (#1532).
BUGFIX: fullworld modifier not working as expected in Mac OS due to locale issue (#1544, VirusTotal/yara-python#184).
BUGFIX: Default value for pe.number_of_imported_function not set to 0 (#1546).

YARA v4.1.1

BUGFIX: Accept the "+" character as valid in DLL names (#1501).
BUGFIX: Buffer overrun in "macho" module.
BUGFIX: Undefined behavior in Windows implementation of yr_filemap_xxx functions (#1302).
BUGFIX: Crash due to consecutive jumps in hex strings (#1492).

YARA v4.1.0

• New operators icontains, endswith, iendswith, startswith, istartswith.
• Accept \t escape sequence in text strings.
• Add --no-follow-links command-line option to yara.
• Prevent yara from following links to "." (@1D2D).
• Implemented non-blocking scanning API (@simonhf).
• When a string causes too many matches, YARA raises a warning instead of failing (@wxsBSD).
• BUGFIX: The use of --timeout could hang yara when scanning directories or lists of files (#1481).
• BUGFIX: Incorrect parsing of PE certificates (#1443).
• BUGFIX: Short-circuit evaluation not working fine with undefined expressions.

YARA v4.1.0-rc2

• Don't raise warnings for non-ASCII strings.

YARA v4.1.0-rc1

• New operators icontains, endswith, iendswith, startswith, istartswith.
• Raise warnings for non-ascii strings.
• Accept \t escape sequence in text strings.
• Add --no-follow-links command-line option to yara.
• Prevent yara from following links to "." (@1D2D).
• Implemented non-blocking scanning API (@simonhf).
• When a string causes too many matches, YARA raises a warning instead of failing.

YARA v4.0.5

• BUGFIX: Fix bug in "macho" module introduced in v4.0.4.

YARA v4.0.4

• BUGFIX: Multiple out-of-bounds reads in "macho" module.

Credits to Luis Merino from X41 D-SEC GmbH for reporting these issues.