Hello. Do you mean Windows executables? If so, there's a PE module you should use. A sample rule is as follows:
import "pe" rule exe { condition: pe.is_pe and not (pe.characteristics & pe.DLL) and pe.subsystem != pe.SUBSYSTEM_NATIVE } The above rule matches executables (.exe) only. The second condition prevents the rule from matching DLLs (.dll) and the third condition prevents it from matching Windows drivers (.sys). Feel free to change it to meet your needs. ;) Please, check the module documentation for other possible conditions [1]. When you are happy with your rule, you can use the -r / --recursive option from the command-line with yara [2]. Good luck! [1] https://yara.readthedocs.io/en/latest/modules/pe.html [2] https://yara.readthedocs.io/en/latest/commandline.html On Wed, Oct 26, 2022 at 11:08 PM SJGG <sergio3...@gmail.com> wrote: > Any solution or help on this ask? > > On Tuesday, 28 June 2022 at 00:39:58 UTC-4 muhammadz...@gmail.com wrote: > >> I want to write yara rule to detect only executable files in any drive, >> can any one help me out >> >> -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to yara-project+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/yara-project/20f17ce5-9f57-4cfb-ac5f-1948378380d9n%40googlegroups.com > <https://groups.google.com/d/msgid/yara-project/20f17ce5-9f57-4cfb-ac5f-1948378380d9n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to yara-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/CAM7p17Oa8dNUeEKnqq%3DBX1bHjWBvGv_kbenp3%3DdkXLM-O8UdFQ%40mail.gmail.com.