Blacklisted YARA rules that produce FPs

* https://github.com/Yara-Rules/rules/blob/master/malware/RAT_PoetRATPython.yar FPs on a whole bunch of C & C++ sources and headers amongst other benign files. Try scanning /usr/include/ and find out :) * https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Sqlite.yar alerts on anything with "SQLite format 3" * php_uname & php_malfunctions in https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Magento_suspicious.yar are too generic * blackhole_basic in https://github.com/Yara-Rules/rules/blob/master/exploit_kits/EK_Blackhole.yar seems too generic and FPs on files like swig-4.0.2/CHANGES & bison.info.gz * PM_Email_Sent_By_PHP_Script in https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Mailers.yar is too generic (e.g. only having "/usr/bin/php") * https://github.com/Yara-Rules/rules/blob/master/malware/MALW_CAP_HookExKeylogger.yar is too generic and FPs on files like /usr/lib64/gcc/x86_64-slackware-linux/11.2.0/include/d/core/sys/windows/winuser.d
pyllyukko · Oct 5, 2023 · 86e3371 · 86e3371 · pyllyukko · Jan 11, 2024
1 parent 45b675c
commit 86e3371
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/tasks/clamav.yml b/tasks/clamav.yml
@@ -179,6 +179,13 @@
         mode: '0644'
         content: |
           sigs.InterServer.net.HEX.Topline.malware.string.11334.179
+          PoetRat_Python
+          with_sqlite
+          php_uname
+          php_malfunctions
+          blackhole_basic
+          PM_Email_Sent_By_PHP_Script
+          CAP_HookExKeylogger
       tags: configuration
     # https://docs.clamav.net/manual/Signatures/YaraRules.html
     # https://github.com/Neo23x0/signature-base (e36e80a)