Describe the bug
Apparently, pe.is_signed "cannot be negated". Using it to check for verified signatures on a PE file works, but simply negating the result using not does not produce a True value for unsigned executables.
To Reproduce
First, create a ruleset:
import "pe"
rule SIGNED {
condition:
pe.is_pe and pe.is_signed
}
rule UNSIGNED {
condition:
pe.is_pe and not pe.is_signed
}
Then, run the ruleset on a signed binary and on an unsigned binary. For example:
Describe the bug Apparently,
pe.is_signed
"cannot be negated". Using it to check for verified signatures on a PE file works, but simply negating the result usingnot
does not produce a True value for unsigned executables.To Reproduce
First, create a ruleset:
Then, run the ruleset on a signed binary and on an unsigned binary. For example:
Expected behavior
The "UNSIGNED" rule should match on any unsigned PE file. The expected output would be:
Please complete the following information: