search

Neo23x0 / Raccine

A Simple Ransomware Vaccine
The Unlicense
942 stars 123 forks source link

32 bit yara and installer fixes #105

Closed JohnLaTwC closed 3 years ago

JohnLaTwC commented 3 years ago
  1. support yara in x86
  2. remove ransomware strings in raccine.exe and replaced by yara rule. (addresses AV detections)
  3. log benign invocations in simulation mode
  4. Symon Event log rules, off-by-default, Set EventlogRules=0x1 to enable
  5. numerous fixes to installer and build batch files
  6. change build type to anycpu on C# apps and fix 32/64 bit issues on paths/regkeys
  7. disable compiled rules (for now)
JohnLaTwC commented 3 years ago

The tests fail because the test code uses raccinelib is_malicious_command_line to check various command lines. I #ifdef that out that code to remove strings in the binary that AV continues to flag on. The detection functionality they used to provide was moved to Yara. So we need to see how to recreate this testing functionality but for our yara rules.