yara icon indicating copy to clipboard operation
yara copied to clipboard
verified publisher icon VirusTotal

Yara error when scan a file path

Open spark6-dev opened this issue 4 years ago • 4 comments

Hello,

Yara returns this error when trying to scan a file, for example, notepad (C:/Windows/System32/notepad.exe).

Yara error: ERROR_COULD_NOT_OPEN_FILE. Code 3
Attempted to read or write protected memory. This is often an indication that other memory is corrupt.

In each scan, this error occurred since Yara was unable to process the data. The scan was attempted on an X64 platform using the Windows services.

Yara version : 3.8.1

Any suggestions to resolve this issue?

spark6-dev avatar Sep 21 '21 10:09 spark6-dev

From the message I assume that this it not the yara command-line tool, but some other program that have YARA built-in. It's hard to tell which is the root cause of this problem without knowing more about that program. What happens if you try to scan the same file with the command-line version of YARA? The issue is reproduced?

plusvic avatar Sep 22 '21 07:09 plusvic

We are using libyara dll inside a windows service written in c#. The command-line version of YARA is working fine. Do you have any idea what might be causing the error?

spark6-dev avatar Sep 22 '21 12:09 spark6-dev

Hello @plusvic, Could you please guide us on how to move forward? We are kind of stuck here because of this. I really appreciate any help you can provide.

spark6-dev avatar Sep 24 '21 05:09 spark6-dev

I think this is going to requiere some debugging on your side. Is hard to recommend an approach without knowing how you system works and how YARA was integrated into it.

plusvic avatar Oct 28 '21 15:10 plusvic