Closed austinbyers closed 7 years ago
I've confirmed that this error can happen even with the max Lambda memory allocation (1.5 GB) and with any size input file. Perhaps the number / size of the YARA rules are to blame?
I think I've tracked it down: a recent commit to Neo23x0/signature-base adds a new rule which includes a pe.imphash
condition.
The YARA rules successfully compile and load in Lambda, but they fail with the memory mapping error when matching against most Windows binaries. My best guess is that this fails because of #30 (hash
module not yet supported in BinaryAlert)
So the solution for now is to disable all rules which use pe.imphash
. I will add a check to enforce this with unit tests since it is so hard to debug.
An easy way to disable the relevant rules files is to rename rules_file.yar
to rules_file.yar.DISABLED
. BinaryAlert only includes files ending in .yar
or .yara
, so these files will be excluded from the next deploy.
Some users are seeing the following error in the analyzer Lambda logs:
I have not been able to reproduce this locally, even with 20,000 YARA rules scanning a 10G file. Some theories: