Skip to content

Commit

Permalink
Blacklist "UPX" YARA rule
Browse files Browse the repository at this point in the history 
Of course it might be useful to detect UPX packed files (even though it
doesn't necessarily mean they're malicious), but the problem is that
this rule might hide a better detection underneath.

I ran a test with 592 UPX packed malware samples and the rule hit on 338
of them, which hid plenty of ClamAV's own signatures.
  • Loading branch information
@pyllyukko
pyllyukko committed Oct 6, 2023
1 parent ac19bc5 commit 85581e9
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions tasks/clamav.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,7 @@
blackhole_basic
PM_Email_Sent_By_PHP_Script
CAP_HookExKeylogger
UPX
tags:
- configuration
- yara
Expand Down

1 comment on commit 85581e9

@pyllyukko
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#84

Please sign in to comment.