Sansec Open-Sources Yargo, a YARA Engine That Scans Malware 6.8x Faster

Sansec, the Dutch eCommerce security company behind Sansec Shield, has open-sourced Yargo: a pure Go reimplementation of the YARA malware scanning engine that runs 6.8 times faster than the original. The project is already processing over 57,000 scans per day in production.

Why rebuild YARA

YARA is the industry standard for pattern matching in malware detection. Nearly every security vendor uses it. But YARA was designed for scanning binaries, not web source code like PHP, JavaScript, and HTML.

Sansec ran into two problems. First, the Go bindings for YARA's C library (go-yara) required CGo, a C compiler, pkg-config, and a pre-installed libyara. Cross-compilation was painful and fully static binaries were impossible. Second, YARA's generic binary-focused approach meant unnecessary work when scanning text-based source code.

How Yargo is faster

Yargo uses the same core algorithm as YARA: Aho-Corasick for multi-pattern matching with a two-phase approach (cheap pre-filter, then expensive verification). The speed gains come from optimizations specific to source code scanning.

The key improvement is smarter atom extraction. YARA picks atoms from the start of patterns. Yargo picks the rarest atoms, meaning fewer false positive matches in the pre-filter phase. Since verification is the expensive step, fewer false positives means dramatically less work.

Other improvements include compiled conditions instead of interpreted evaluation, and a custom Aho-Corasick implementation tuned for text patterns rather than arbitrary byte sequences.

The numbers

In production at Sansec, Yargo delivers:

• 6.8x faster scan times compared to go-yara
• 57,000+ scans per day across their monitoring network
• Sub-1-minute scan times (down from several minutes)
• 116,000 CPU-hours saved in just two weeks

The project is MIT-licensed and available on GitHub. It provides a go-yara compatible API, so existing integrations can switch with minimal code changes.

WAFplanet take

This matters for WAF users because malware scanning and WAF protection are complementary layers. A WAF blocks malicious requests before they reach your application. But if malware gets in through other vectors (compromised credentials, supply chain attacks, vulnerable plugins), you need server-side scanning to detect it.

Sansec Shield combines both: a WAF-like request filter plus deep malware scanning of your store's codebase and database. Yargo being open source means the scanning engine itself can now be audited and integrated by other security tools.

For eCommerce operators running Magento, WooCommerce, or Shopware, this is the kind of specialized protection that generic cloud WAFs miss. A Cloudflare or CrowdSec deployment blocks known attack patterns at the edge, but they cannot scan your PHP files for injected skimmers. You need both layers.