Poor rules

[abusech]

It appears that the following YARA rules have a poor quality:

INDICATOR_RTF_EXPLOIT_CVE_2017_11882_1
INDICATOR_RTF_EXPLOIT_CVE_2017_11882_2
INDICATOR_RTF_EXPLOIT_CVE_2017_11882_3
INDICATOR_RTF_EXPLOIT_CVE_2017_11882_4
INDICATOR_RTF_MultiExploit_Embedded_Files

As a matter of fact, it seems that they are too wide causing massive slow down in YARA scanning performance:

[*] Compilation of indicator_office.yar took 0.007477283477783203 seconds
[*] Scanning with rule indicator_office.yar took 341.6897406578064 seconds <--- !

Sadly, these rules caused service degradation of YARAify. We therefore had to remove your ruleset from our service.

Would it be possible to fix these rules and make them more specific (e.g. by looking explicitly for RTF files)?

[ditekshen]

They all already target RTF files only as explicitly specified in the condition with uint32(0) == 0x74725c7b. I don't disagree with you when it comes to these rules performance. But due to the wide variations of evasion manipulations they grew into performance hogs, otherwise, they would result in false negatives. I will take a look.

[ditekshen]

These rules have been disabled and should be enabled on-demand in ea8952882072084aae9128e9711947fd680dbe28.