search

pressidium / pressidium-yara-rules

Welcome to the Pressidium® Yara Rules repository. This section contains a carefully curated collection of Yara rules specifically designed to detect and prevent WordPress or PHP malware and viruses, ensuring a safer online environment.
https://pressidium.com/
GNU General Public License v3.0
11 stars 0 forks source link

Eliminate false positives #1

Open AvarageCoding opened 9 months ago

AvarageCoding commented 9 months ago

First of all, thank you for sharing your rules. I am pretty new to YARA, so apologies if I just ask stupid questions.

I just tested your rules on a clean WordPress installation, but I notice that it reports a lot of false positives. I created a new, clean WordPress installation via the WP-CLI. A scan on this with Pressidium-commons-init.yar gives a lot of false positives. An installation with many plugins gives even more.

How do you eliminate these false positives? How do you do this for example with your customer base, for example?

Potential feedback is appreciated!

$ wp core download
Downloading WordPress 6.4.3 (en_US)...
md5 hash verified: 8e664626c12cb6daea37c8a90d8080d8
Success: WordPress downloaded.

$ yara --version
4.3.2

$ yara -r pressidium-yara-rules/Pressidium-commons-init.yar . > scan.log
warning: rule "common_encoding_php" in ../pressidium-yara-rules/Commons/Pressidium-common-encodings.yar(23): using literal string ".js" in a boolean operation.
warning: rule "Detect_Eval_Usage" in ../pressidium-yara-rules/Commons/Pressidium-common-eval-usage.yar(21): string "$eval4" may slow down scanning
warning: rule "Detect_Eval_Usage" in ../pressidium-yara-rules/Commons/Pressidium-common-eval-usage.yar(29): $eval_function2 contains .*, .+ or .{x,} consider using .{,N}, .{1,N} or {x,N} with a reasonable value for N

scan.log

spmaris commented 9 months ago

Hello @AvarageCoding,

Thank you for your feedback!

While the rules were tested on our malware sample and performed well on a fully WordPress site, it's unfortunate that we encountered the same issue. We are actively working on optimizing these rules, and we hope that in the next version, there will be no false positives.

Optimizing these rules can be a time-consuming process during development and testing, but rest assured that we are committed to improving them. We are working diligently on this and hope to release a new version soon.

If you have any further questions or concerns, please feel free to reach out. Your feedback is valuable in helping us improve our rules.

AvarageCoding commented 9 months ago

Thanks for the clarification. I can imagine that optimizing these rules takes a lot of effort. I appreciate all the work and I'm looking forward to the updated version.