The following YARA rule tags have predefined meanings, therefore use them with care to ensure results are as intended.

Table 1. YARA Rule Tags
  • appc_msi_processor
  • appcontrol_installer
  • Approve
  • archive
  • bmp
  • chrome_extension_interpreter
  • cmd_interpreter
  • dep_incompatible
  • doc
  • docm
  • docx
  • DontSendEvent
  • DownloadedFile
  • eicar
  • EmailAttachment
  • executable
  • filetype
  • gif
  • installer
  • invalid
  • java_interpreter
  • jpeg
  • jpg
  • library
  • malicious
  • mozilla_extension_interpreter
  • mshta_interpreter
  • perl_interpreter
  • pdf
  • png
  • powershell_interpreter
  • ppt
  • pptm
  • pptx
  • ps_virtualprotect
  • python_interpreter
  • quarantine
  • reg_interpreter
  • risk
  • rtf
  • ruby_interpreter
  • script
  • script_interpreter
  • tiff
  • UnitTest
  • vb_interpreter
  • xls
  • xlsm
  • xlsx
Important: The following tags are in the IsInteresting namespace. Do not use them in the Classification namespace.
  • archive
  • dep_incompatible
  • executable
  • filetype
  • installer
  • invalid
  • script
  • script_interpreter