Closed e-ferrari closed 5 months ago
I can't really help too much with this. A match from a YARA rule doesn't actually means that the file is malicious, it can be a false positive. There are a bunch of low-quality YARA rules on Internet that you could trigger with non-malicious file, or rules that are intentionally designed to find specific patterns that don't imply maliciousness. When using a set of YARA rules you must know what the rules are for. I don't recommend using YARA an an antivirus.
Hi, i'm completely new to Yara so excuse asking basic stuff. I have some image files from Linux virtual machines i'd like to scan for malware. I have a Ubuntu 22.04.03 box on which i installed Yara 4.1.3. I downloaded rules from https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9. But it seems the script which creates the rules is from 2018. Where can i get more recent rules ? I started yara with:
yara -rNc malware_rules.yar /mnt/crispor-server/
I have e.g. output like this:
Does this mean that e.g. _pywrap_tensorflow_internal.so has 5 viruses (or something like this) ? If it shows just that it found a certain pattern how do i know if it's malware or not ? Or is yara not suitable for searching malware ? Can you recommend other tools to find malware on Linux hosts ?
Thanks.
Bernd