From 85581e9de7b8feadfedf436679a66a18eeee53d4 Mon Sep 17 00:00:00 2001
From: pyllyukko <pyllyukko@maimed.org>
Date: Fri, 6 Oct 2023 10:13:25 +0300
Subject: [PATCH] Blacklist "UPX" YARA rule

Of course it might be useful to detect UPX packed files (even though it
doesn't necessarily mean they're malicious), but the problem is that
this rule might hide a better detection underneath.

I ran a test with 592 UPX packed malware samples and the rule hit on 338
of them, which hid plenty of ClamAV's own signatures.
---
 tasks/clamav.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tasks/clamav.yml b/tasks/clamav.yml
index 38e013b..3eee2bb 100644
--- a/tasks/clamav.yml
+++ b/tasks/clamav.yml
@@ -186,6 +186,7 @@
           blackhole_basic
           PM_Email_Sent_By_PHP_Script
           CAP_HookExKeylogger
+          UPX
       tags:
         - configuration
         - yara