From 6883a582058548d34a7cf2e2ecd83abffbfd7623 Mon Sep 17 00:00:00 2001
From: pyllyukko <pyllyukko@maimed.org>
Date: Thu, 30 Nov 2023 18:18:30 +0200
Subject: [PATCH] Blacklisted bunch of YARA rules

Starting to think whether efb8d9c was a good idea or not.

These rules have been tested to trigger against the benignware dataset
of chapter 8 of the Malware Data Science book[1].

[1] https://www.malwaredatascience.com/code-and-data
---
 tasks/clamav.yml | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/tasks/clamav.yml b/tasks/clamav.yml
index 0bb12f4..131b4ff 100644
--- a/tasks/clamav.yml
+++ b/tasks/clamav.yml
@@ -220,7 +220,6 @@
           mimikatz
           ft_elf
           ft_exe
-          DebuggerPattern__RDTSC
           maldoc_suspicious_strings
           maldoc_structured_exception_handling
           maldoc_function_prolog_signature
@@ -239,6 +238,30 @@
           Ramnit
           FE_APT_Backdoor_Linux32_SLOWPULSE_2
           trickbot_maldoc_embedded_dll_september_2020
+          reads_clipboard
+          cve_2014_6352
+          upx
+          embedded_macho
+          maldoc_find_kernel32_base_method_1
+          browser_pass
+          shylock
+          XYPayload
+          sysocmgr
+          maldoc_getEIP_method_1
+          cmd_shell
+          obfuscation_singlebyte_mov
+          vmdetect
+          Embedded_PE
+          dotnet_libraries
+          TrojanWin32CitadelSampleA
+          executable_au3
+          dbgdetect_funcs
+          MD5_Constants
+          RIPEMD160_Constants
+          _UPX_V200V290
+          RogueFakePAVSample
+          SHA1_Constants
+          Check_VBox_Guest_Additions
       tags:
         - configuration
         - yara