Sauron is a minimalistic, YARA based malware scanner with realtime filesystem monitoring written in Rust.
inotify, macOS FSEvents, Windows ReadDirectoryChanges and polling for other platforms.Due to the filesystem monitoring mechanism, Sauron is extremely lightweight and non invasive as more sophisticated AV solutions, however this comes with the following limitations:
Permission Denied error.cargo build --release
Your system must have libssl-dev installed. For Ubuntu-derivatives this can be installed via sudo apt install libssl-dev.
Assuming you have your YARA rules in ./yara-rules (you can find plenty of free rules online):
sudo ./target/release/sauron --rules ./yara-rules

Alternatively you can perform a one-time recursive scan of the specified folder using the --scan argument:
sudo ./target/release/sauron --rules ./yara-rules --scan --root /path/to/scan
You can specify which file extensions to scan (all by default) with the --ext argument:
sudo ./target/release/sauron \
--rules ./yara-rules \
--scan \
--root /path/to/scan \
--ext exe \
--ext elf \
--ext doc \
--ext docx
Various options are available for reporting:
--report-clean will also report clean files.--report-errors explicitly report errors (reported as debug logs by default).--report-output <FILENAME> will write scan reports to a file.--report-json if --report-output is passed, write as JSON instead of text.Run sauron --help for the complete list of options.
This project is made with ♥ by @evilsocket and it is released under the GPL3 license.
$ claude mcp add sauron \
-- python -m otcore.mcp_server <graph>