search

malpedia / signator-rules

Collection of rules created using YARA-Signator over Malpedia
112 stars 7 forks source link

Expressions always false #2

Closed bartblaze closed 4 months ago

bartblaze commented 5 months ago

FYI - 2 rules will not work due to the condition not being able to match:

warning: rule "win_samsam_auto" in may_malpedia_2024.yar(166090): expression always false - requesting 7 of 5.
warning: rule "win_zhmimikatz_auto" in may_malpedia_2024.yar(218544): expression always false - requesting 7 of 1.
danielplohmann commented 4 months ago

Hey Bart!

I'm a bit confused, as those rules are no longer in the repo, at least no files with that name and also no files containing either strings "samsam" or "zhmimikatz".

Is it possible that you have artifacts of older rules in there?

Otherwise, did you pull the rules from malpedia via the API - I just checked in the repo over there and there were rules matching your logical errors. Those are fixed now and should show up in a second. :)

Thanks for reporting back these issues in any case!!

bartblaze commented 4 months ago

Hi Daniel, I believe I may have done both at the time ;) Thnx for tackling it, and the great work!