YARA

[pyllyukko]

• [ ] Remove YARA files that have all of their rules blacklisted
  • [ ] Remove the blacklist entries
• [ ] Consider how to utilize YARA Forge
  • Challenging as the ruleset comes as one file
    • Can we just blacklist the ones that don't work with ClamAV?
• [ ] Replace Open-Source-YARA-rules files/rules with links to upstream (the origin of the file in question) when applicable
• [ ] Benchmark rules with yaraQA
  • jq '.[] | select(.issue=="The regex string has a measurable performance impact")' yaraQA-issues.json
  • jq '.[] | select(.level>=2)'
• [ ] Define some (semi-formal?) goodware corpus to weed out rules that produce FPs
  • /usr
  • Chapter 8 of the Malware Data Science book
  • Some mailbox

[pyllyukko]

It would be nice to have some YARA rule to detect malware like this:

• https://www.virustotal.com/gui/file/c0f9a09878ecec9e61df7d45cdc1534c95f310619d3aceb3d578654cea4c283a
• https://www.virustotal.com/gui/file/4f6f8803dca6961056b701edc7aacfcb6a744e5813d977dd471e4f08a0d4d12a
• https://www.virustotal.com/gui/file/5368c19914821d96a69d3c6e0879aff8dc748e66a7a565192b2cdc108da2cb6d

gen_webshells.yar (from Arnims YARA rules) has a detection (WEBSHELL_ASP_Generic), but that file can't be used with ClamAV :(