Hi,

During the file scanning, I do not want to examine after a certain size. For example, for a 100 mb file, I want to scan the first 200 kb and get its match result, Not scanning after 200kb. How can i achieve this with yara rule or python script. I want to give full file to Yara and Yara not read full text as I explained the above. It is important for speed.

Thank you for response.
Sincerely.

hi,

maybe use https://github.com/Neo23x0/Loki or https://www.nextron-systems.com/thor-lite/ because by default they don't scan the file types, which are usually the huge ones, unless you use --intense.

and if you really want to scan the first 200kb of 100mb (don't know how useful that would be), you could add your own parameter in loki.

regards
arnim