Commenting out high FP rules as per issue #39

84a474ce · jovimon · 1275165d · 84a474ce · 84a474ce · 84a474ce
Commit 84a474ce authored Sep 09, 2015 by jovimon
Hide whitespace changes
Inline Side-by-side

Showing with 49 additions and 5 deletions

antidebug.yar antidebug.yar +30 -2

malicious_document.yar malicious_document.yar +9 -0

APT1.yar malware/APT1.yar +3 -1

packer.yar packer.yar +7 -2

No files found.
--- a/antidebug.yar
+++ b/antidebug.yar
 /*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
 */

 import "pe"
@@ -82,6 +81,8 @@ rule DebuggerHiding__Active : AntiDebug DebuggerHiding {
 		any of them
 }

+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
 rule DebuggerTiming__PerformanceCounter : AntiDebug DebuggerTiming {
 	meta:
 		weight = 1
@@ -92,7 +93,10 @@ rule DebuggerTiming__PerformanceCounter : AntiDebug DebuggerTiming {
 	condition:
 		any of them
 }
+*/

+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
 rule DebuggerTiming__Ticks : AntiDebug DebuggerTiming {
 	meta:
 		weight = 1
@@ -103,7 +107,10 @@ rule DebuggerTiming__Ticks : AntiDebug DebuggerTiming {
 	condition:
 		any of them
 }
+*/

+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
 rule DebuggerOutput__String : AntiDebug DebuggerOutput {
 	meta:
 		weight = 1
@@ -114,7 +121,10 @@ rule DebuggerOutput__String : AntiDebug DebuggerOutput {
 	condition:
 		any of them
 }
+*/

+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
 rule DebuggerException__UnhandledFilter : AntiDebug DebuggerException {
 	meta:
 		weight = 1
@@ -125,6 +135,7 @@ rule DebuggerException__UnhandledFilter : AntiDebug DebuggerException {
 	condition:
 		any of them
 }
+*/

 rule DebuggerException__ConsoleCtrl : AntiDebug DebuggerException {
 	meta:
@@ -219,7 +230,8 @@ rule SEH__vectored : AntiDebug SEH {
 		any of them
 }

-
+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
 rule DebuggerPattern__RDTSC : AntiDebug DebuggerPattern {
 	meta:
 		weight = 1
@@ -230,7 +242,10 @@ rule DebuggerPattern__RDTSC : AntiDebug DebuggerPattern {
 	condition:
 		any of them
 }
+*/

+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
 rule DebuggerPattern__CPUID : AntiDebug DebuggerPattern {
 	meta:
 		weight = 1
@@ -241,7 +256,10 @@ rule DebuggerPattern__CPUID : AntiDebug DebuggerPattern {
 	condition:
 		any of them
 }
+*/

+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
 rule DebuggerPattern__SEH_Saves : AntiDebug DebuggerPattern {
 	meta:
 		weight = 1
@@ -252,7 +270,10 @@ rule DebuggerPattern__SEH_Saves : AntiDebug DebuggerPattern {
 	condition:
 		any of them
 }
+*/

+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
 rule DebuggerPattern__SEH_Inits : AntiDebug DebuggerPattern {
 	meta:
 		weight = 1
@@ -263,6 +284,7 @@ rule DebuggerPattern__SEH_Inits : AntiDebug DebuggerPattern {
 	condition:
 		any of them
 }
+*/


 rule Check_Dlls
@@ -546,6 +568,8 @@ rule Check_OutputDebugStringA_iat
 		pe.imports("kernel32.dll","OutputDebugStringA")
 }

+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
 rule Check_unhandledExceptionFiler_iat {

 	meta:
@@ -557,7 +581,10 @@ rule Check_unhandledExceptionFiler_iat {
 	condition:
 		pe.imports("kernel32.dll","UnhandledExceptionFilter")	
 }
+*/

+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
 rule check_RaiseException_iat {

 	meta:
@@ -569,6 +596,7 @@ rule check_RaiseException_iat {
 	condition:
 		pe.imports("kernel32.dll","RaiseException")	
 }
+*/

 rule Check_FindWindowA_iat {


--- a/malicious_document.yar
+++ b/malicious_document.yar
@@ -14,6 +14,8 @@ rule maldoc_API_hashing
        any of them
 }

+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
 rule maldoc_function_prolog_signature
 {
    meta:
@@ -27,7 +29,10 @@ rule maldoc_function_prolog_signature
    condition:
        any of them
 }
+*/

+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
 rule maldoc_structured_exception_handling
 {
    meta:
@@ -38,6 +43,7 @@ rule maldoc_structured_exception_handling
    condition:
        any of them
 }
+*/

 rule maldoc_indirect_function_call_1
 {
@@ -131,6 +137,8 @@ rule maldoc_OLE_file_magic_number
        $a
 }

+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
 rule maldoc_suspicious_strings
 {
    meta:
@@ -155,6 +163,7 @@ rule maldoc_suspicious_strings
    condition:
        any of them
 }
+*/

 rule mwi_document : exploitdoc
 {

--- a/malware/APT1.yar
+++ b/malware/APT1.yar
@@ -1037,6 +1037,8 @@ rule APT1_TARSIP_MOON
        1 of ($s*) and 1 of ($msg*) and 1 of ($onec*)
 }

+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
 rule APT1_payloads
 {
    meta:
@@ -1081,7 +1083,7 @@ rule APT1_payloads
    condition:
        1 of them
 }
-
+*/

 rule APT1_RARSilent_EXE_PDF
 {

--- a/packer.yar
+++ b/packer.yar
@@ -59,6 +59,8 @@ rule Borland
 		$patternBorland 
 }

+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
 rule java 
 {
      meta:
@@ -68,6 +70,8 @@ rule java
 	condition:
 		$patternjava
 }
+*/
+
 rule NET 
 {
      meta:
@@ -12062,7 +12066,8 @@ condition:
 		$a0 at pe.entry_point
 }
 	
-	
+// 20150909 - Issue #39 - Commented because of High FP rate
+/*
 rule Armadillov171
 {
      meta:
@@ -12073,7 +12078,7 @@ strings:
 condition:
 		$a0 at pe.entry_point
 }
-	
+*/
 	
 rule KBySV022shoooo
 {