Hi,
I stumbled over a problem which took me quite some time to get a grip on.
I was testing a huge set of yara rules using kraken inside a Windows Test VM. The compiler worked fine, so the yara rule was syntactically correct. However, I think there is an issue with rules which don't work during runtime. As an example see the following two rules:

rule test1 {
   condition:
      for any i in (0 .. pe.number_of_signatures) : (
         pe.signatures[i].subject contains "Solid Loop" or
         pe.signatures[i].subject contains "Ultimate Computer Support"
      )
}

rule test2 {
   condition:
    filename == "test.txt"
}

I believe test1 condition might be incorrect during runtime because of the missing MZ header check uint16(0) == 0x5a4d. (test1 is a striped down version of https://github.com/Neo23x0/signature-base/blob/master/yara/apt_turla_gazer.yar). Using this version, test2 is never executed on kraken. (This also means on a huge ruleset, all other rules are not executed)

When I add the MZ header condition to test1, test2 rule is working as expected. This behavior leads to a whole lot of yara rules not being tested and without kraken logging any problem.

I'm not sure if this is a go-yara or a kraken issue, however using yara64.exe with the compiled ruleset I cannot see this behavior. Do you have a guide on how to debug such a scenario?