diff --git a/base/comps/components.toml b/base/comps/components.toml
index 7487518e3b0..5af67edefd6 100644
--- a/base/comps/components.toml
+++ b/base/comps/components.toml
@@ -7043,7 +7043,6 @@ includes = ["**/*.comp.toml", "component-check-disablement.toml", "component-min
 [components.yajl]
 [components.yaksa]
 [components.yaml-cpp]
-[components.yara]
 [components.yarnpkg]
 [components.yelp]
 [components.yelp-tools]
diff --git a/base/comps/yara/modify_source.sh b/base/comps/yara/modify_source.sh
new file mode 100755
index 00000000000..be68c555eae
--- /dev/null
+++ b/base/comps/yara/modify_source.sh
@@ -0,0 +1,188 @@
+#!/usr/bin/env bash
+#
+# yara — strip benign-but-scanner-tripping fixture from upstream tarball.
+#
+# Background
+# ----------
+# An automated malware scan in the package signing pipeline rejects
+# `tests/oss-fuzz/dotnet_fuzzer_corpus/obfuscated` inside the upstream
+# `yara-4.5.4.tar.gz` tarball.  The file is a deliberately obfuscated
+# .NET binary used as an oss-fuzz seed-corpus input for YARA's `.NET`
+# parser fuzzer; it is benign but matches generic .NET-obfuscator
+# heuristics by design.
+#
+# The `*_fuzzer.cc` oss-fuzz harnesses (and their `*_fuzzer_corpus/`
+# directories) are NOT referenced from upstream's `Makefile.am`, so the
+# autotools `make check` driver does not exercise them.  Removing
+# `tests/oss-fuzz/dotnet_fuzzer_corpus/obfuscated` (and, optionally,
+# the rest of the dotnet fuzzer corpus) does not affect the Azure Linux
+# build or `%check`.
+#
+# This script repacks the upstream tarball with the offending file
+# stripped, then prints the SHA512 of the modified artefact for use in
+# `base/comps/yara/yara.comp.toml`'s `source-files` block.  The
+# modified tarball must be uploaded to the Azure Linux modified-source
+# blob storage; its blob URL becomes the `source-files.origin.uri` in
+# the comp TOML.
+#
+# Reproducibility notes
+# ---------------------
+# - The script uses `tar --sort=name --mtime=` flags to produce a
+#   byte-deterministic output, so re-running on the same upstream
+#   tarball must always yield the same SHA512.
+# - `gzip -n` strips mtime/filename metadata from the gzip header for
+#   the same reason.
+#
+# Output location
+# ---------------
+# The script writes its outputs to `base/build/work/scratch/yara/`
+# (resolved relative to the repository root).  This path is covered by
+# the repository's top-level `.gitignore` via `build/`, so no
+# component-level `.gitignore` is needed and no script artefact can be
+# accidentally committed.
+#
+# Usage:
+#   bash modify_source.sh
+#
+# Outputs (under base/build/work/scratch/yara/):
+#   yara-4.5.4-azl-stripped.tar.gz
+#   yara-4.5.4-azl-stripped.tar.gz.sha512
+#
+# After running upload `yara-4.5.4-azl-stripped.tar.gz` as the blob payload at
+# the lookaside URL pattern (modified container) for filename
+# `yara-4.5.4.tar.gz`.  The exact URL is printed by this script.
+
+set -euo pipefail
+
+UPSTREAM_URL="https://github.com/VirusTotal/yara/archive/v4.5.4.tar.gz"
+ORIGINAL_NAME="yara-4.5.4.tar.gz"
+ORIGINAL_SHA512="b1da40636f9e55bb07cc911479e6dfa8dc7a4fa3f6b9f10b9f669d741d7af51a1d31e044f9842ec3ab9c6ac9788fbdb89a1686c9e3f22f68d1f9e5fb3db22167"
+MODIFIED_NAME="yara-4.5.4-azl-stripped.tar.gz"
+EXTRACTED_DIRNAME="yara-4.5.4"
+
+# Files to remove from the upstream tarball.
+#
+# `tests/oss-fuzz/dotnet_fuzzer_corpus/obfuscated` is a deliberately
+# obfuscated .NET binary used as an oss-fuzz seed-corpus input for
+# YARA's .NET parser fuzzer; it is referenced only by libFuzzer
+# harnesses (not by the autotools `make check` test suite).
+#
+# The three SHA-256-named fixtures under `tests/data/` are real malware
+# samples used by `tests/test-pe.c` (PE-format parser test) — one is
+# UPX-packed. The autotools `make check` driver runs `test-pe`, which
+# references these files by name. Stripping the files alone would make
+# `test-pe` fail at runtime, so we also drop the `test-pe` line from
+# `Makefile.am` below (see the `Makefile.am` edit step), which causes
+# autoreconf in %prep to regenerate a Makefile without `test-pe` in
+# the TESTS list. Loss: build-time PE-parser regression coverage from
+# upstream's own test corpus. The runtime PE rule-scanning code path
+# (the same one consumers exercise via the `yara` CLI) is unaffected.
+declare -a STRIP_PATHS=(
+    "${EXTRACTED_DIRNAME}/tests/oss-fuzz/dotnet_fuzzer_corpus/obfuscated"
+    "${EXTRACTED_DIRNAME}/tests/data/05cd06e6a202e12be22a02700ed6f1604e803ca8867277d852e8971efded0650"
+    "${EXTRACTED_DIRNAME}/tests/data/079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885"
+    "${EXTRACTED_DIRNAME}/tests/data/079a472d22290a94ebb212aa8015cdc8dd28a968c6b4d3b88acdd58ce2d3b885.upx"
+    "${EXTRACTED_DIRNAME}/tests/data/e3d45a2865818756068757d7e319258fef40dad54532ee4355b86bc129f27345"
+)
+
+SCRIPT_DIR="$(cd "$(dirname "$(realpath "$0")")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"
+WORKDIR="${REPO_ROOT}/base/build/work/scratch/yara"
+mkdir -p "${WORKDIR}"
+cd "${WORKDIR}"
+
+echo "[1/5] Downloading ${ORIGINAL_NAME} from upstream into ${WORKDIR}"
+curl -fsSL --retry 3 -o "${ORIGINAL_NAME}" "${UPSTREAM_URL}"
+
+echo "[2/5] Verifying original SHA512"
+COMPUTED_ORIGINAL_SHA512=$(sha512sum "${ORIGINAL_NAME}" | awk '{print $1}')
+if [[ "${COMPUTED_ORIGINAL_SHA512}" != "${ORIGINAL_SHA512}" ]]; then
+    echo "ERROR: upstream SHA512 mismatch" >&2
+    echo "  expected: ${ORIGINAL_SHA512}" >&2
+    echo "  computed: ${COMPUTED_ORIGINAL_SHA512}" >&2
+    exit 1
+fi
+
+echo "[3/5] Extracting"
+rm -rf "${EXTRACTED_DIRNAME}"
+tar -xzf "${ORIGINAL_NAME}"
+
+echo "[4/5] Stripping flagged paths"
+for p in "${STRIP_PATHS[@]}"; do
+    if [[ ! -e "${p}" ]]; then
+        echo "ERROR: expected path not present in upstream: ${p}" >&2
+        exit 1
+    fi
+    rm -v "${p}"
+done
+
+# Drop `test-pe` from the autotools `check_PROGRAMS` list in
+# `Makefile.am`. `test-pe` references the four hash-named fixtures in
+# `tests/data/` we just stripped (see STRIP_PATHS above); leaving the
+# test in the autotools TESTS list would make `make check` fail at
+# runtime. The spec runs `autoreconf --force --install` in %prep, so
+# the regenerated `Makefile.in` picks up the edit and `test-pe` is
+# omitted from the build's test driver entirely. `test-pe.c` itself
+# stays in the tarball — harmless, unused.
+#
+# We also drop the now-orphan `test_pe_SOURCES`, `test_pe_LDADD`,
+# `test_pe_LDFLAGS` variable declarations. `automake` runs with
+# `-Werror` in upstream's configuration; leaving the orphan vars
+# triggers a "variable defined but no program has 'test_pe' as
+# canonical name (possible typo)" warning that fails autoreconf.
+MAKEFILE_AM="${EXTRACTED_DIRNAME}/Makefile.am"
+if ! grep -qE '^  test-pe \\$' "${MAKEFILE_AM}"; then
+    echo "ERROR: expected '  test-pe \\' line not found in ${MAKEFILE_AM}" >&2
+    exit 1
+fi
+if ! grep -qE '^test_pe_SOURCES\s*=' "${MAKEFILE_AM}"; then
+    echo "ERROR: expected 'test_pe_SOURCES =' line not found in ${MAKEFILE_AM}" >&2
+    exit 1
+fi
+sed -i '/^  test-pe \\$/d' "${MAKEFILE_AM}"
+sed -i '/^test_pe_SOURCES\s*=/d;/^test_pe_LDADD\s*=/d;/^test_pe_LDFLAGS\s*=/d' "${MAKEFILE_AM}"
+echo "  dropped 'test-pe' entry and its test_pe_{SOURCES,LDADD,LDFLAGS} variables from ${MAKEFILE_AM}"
+
+echo "[5/5] Repacking deterministically as ${MODIFIED_NAME}"
+# --sort=name        : deterministic file ordering
+# --mtime            : pin mtime to a fixed epoch so the output is reproducible
+# --owner=0 --group=0 --numeric-owner : strip uid/gid/uname/gname
+# gzip -n            : do not store the mtime/filename in the gzip header
+rm -f "${MODIFIED_NAME}"
+tar --sort=name \
+    --mtime='2024-01-01 00:00:00 UTC' \
+    --owner=0 --group=0 --numeric-owner \
+    -cf - "${EXTRACTED_DIRNAME}" | gzip -n -9 > "${MODIFIED_NAME}"
+
+MODIFIED_SHA512=$(sha512sum "${MODIFIED_NAME}" | awk '{print $1}')
+echo "${MODIFIED_SHA512}  ${MODIFIED_NAME}" > "${MODIFIED_NAME}.sha512"
+
+cat <<EOF
+
+================================================================
+DONE
+  modified tarball: ${WORKDIR}/${MODIFIED_NAME}
+  SHA512:           ${MODIFIED_SHA512}
+================================================================
+
+Next steps:
+  1. Make sure you are logged in to Azure (one-time per shell):
+       az login
+  2. Upload the modified tarball with this ready-to-paste command
+     (uploads to the lookaside 'repo' container under the
+     'pkgs_modified/' prefix at the exact path
+     base/comps/yara/yara.comp.toml's source-files.origin.uri expects):
+
+       az storage blob upload \\
+           --auth-mode login \\
+           --account-name azltempstaginglookaside \\
+           --container-name repo \\
+           --name "pkgs_modified/yara/yara-4.5.4.tar.gz/sha512/${MODIFIED_SHA512}/yara-4.5.4.tar.gz" \\
+           --file "${WORKDIR}/${MODIFIED_NAME}"
+
+  3. The hash + URI in base/comps/yara/yara.comp.toml are
+     already populated for SHA512 ${MODIFIED_SHA512:0:16}...; if the
+     SHA512 above does NOT match, this means the regeneration was not deterministic.
+     This requires further investigation and the comp TOML must NOT be updated with
+     the new hash/URI until the root cause of non-determinism is identified and resolved.
+EOF
diff --git a/base/comps/yara/yara.comp.toml b/base/comps/yara/yara.comp.toml
new file mode 100644
index 00000000000..ba7eb1dbbd8
--- /dev/null
+++ b/base/comps/yara/yara.comp.toml
@@ -0,0 +1,9 @@
+[components.yara]
+
+[[components.yara.source-files]]
+filename = "yara-4.5.4.tar.gz"
+hash = "efa88fec095d587164bafe30f143aa3f148aad57d41c257c96aa2fdc9ec8818b5ec510d89fe6166efd9f212f57304e08e62f045e51ebc996076c7f58a3e2c1b1"
+hash-type = "SHA512"
+origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/yara/yara-4.5.4.tar.gz/sha512/efa88fec095d587164bafe30f143aa3f148aad57d41c257c96aa2fdc9ec8818b5ec510d89fe6166efd9f212f57304e08e62f045e51ebc996076c7f58a3e2c1b1/yara-4.5.4.tar.gz" }
+replace-upstream = true
+replace-reason = "The upstream `yara-4.5.4.tar.gz` tarball ships deliberately obfuscated .NET binaries used as an input for YARA's own .NET parser fuzzer. The file is benign by intent, but it matches generic .NET-obfuscator detection heuristics by design and is rejected by the our automated malware scans."
diff --git a/locks/yara.lock b/locks/yara.lock
index b2874af9505..38279c2e711 100644
--- a/locks/yara.lock
+++ b/locks/yara.lock
@@ -2,5 +2,5 @@
 version = 1
 import-commit = 'ec3a8c26f3312d5d8c24c3e66d53cd8c75e416b3'
 upstream-commit = 'ec3a8c26f3312d5d8c24c3e66d53cd8c75e416b3'
-input-fingerprint = 'sha256:022aa495b534857b8f135ebb7413367cad98f1bfc60336284c9616d0a685e0f8'
+input-fingerprint = 'sha256:74df6b89fbee5dda44846d917f8423bac9fb0388574e2840d45c007e2355f8fe'
 resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e'
diff --git a/specs/y/yara/sources b/specs/y/yara/sources
index 97951e017c9..51cc732dc19 100644
--- a/specs/y/yara/sources
+++ b/specs/y/yara/sources
@@ -1 +1 @@
-SHA512 (yara-4.5.4.tar.gz) = b1da40636f9e55bb07cc911479e6dfa8dc7a4fa3f6b9f10b9f669d741d7af51a1d31e044f9842ec3ab9c6ac9788fbdb89a1686c9e3f22f68d1f9e5fb3db22167
+SHA512 (yara-4.5.4.tar.gz) = efa88fec095d587164bafe30f143aa3f148aad57d41c257c96aa2fdc9ec8818b5ec510d89fe6166efd9f212f57304e08e62f045e51ebc996076c7f58a3e2c1b1
diff --git a/specs/y/yara/yara.spec b/specs/y/yara/yara.spec
index f3ea7b01d96..ee31b55ed3e 100644
--- a/specs/y/yara/yara.spec
+++ b/specs/y/yara/yara.spec
@@ -2,7 +2,7 @@
 ## (rpmautospec version 0.8.3)
 ## RPMAUTOSPEC: autorelease, autochangelog
 %define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 4;
+    release_number = 5;
     base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
     print(release_number + base_release_number - 1);
 }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@@ -201,6 +201,9 @@ make check || (
 
 %changelog
 ## START: Generated by rpmautospec
+* Thu May 14 2026 Pawel Winogrodzki <pawelwi@microsoft.com> - 4.5.4-5
+- yara: serve modified Source0 with malware-flagged test fixtures stripped
+
 * Thu Apr 30 2026 Daniel McIlvaney <damcilva@microsoft.com> - 4.5.4-4
 - feat: introduce deterministic commit resolution via Azure Linux lock file