valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 10:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

False Positive Reduction

Browse Source
This commit is contained in:
Florian Roth 2018-10-19 09:06:10 +02:00
parent 5dfc61f909
commit c8d3a207a8
1 changed files with 13 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
yara/yara_mixed_ext_vars.yar
View File

@ -266,19 +266,22 @@ rule Exe_Cloaked_as_ThumbsDb
rule Fake_AdobeReader_EXE
{
meta:
description = "Detects an fake AdobeReader executable based on filesize OR missing strings in file"
date = "2014-09-11"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
description = "Detects an fake AdobeReader executable based on filesize OR missing strings in file"
date = "2014-09-11"
author = "Florian Roth"
score = 50
score = 50
nodeepdive = 1
nodeepdive = 1
strings:
$s1 = "Adobe Systems" ascii
$s2 = "Adobe Reader" ascii wide
$s1 = "Adobe Systems" ascii
$fp1 = "Adobe Reader" ascii wide
$fp2 = "Xenocode Virtual Appliance Runtime" ascii wide
condition:
uint16(0) == 0x5a4d and
filename matches /AcroRd32.exe/i and
not $s1 in (filesize-2500..filesize)
and not $s2
uint16(0) == 0x5a4d and
filename matches /AcroRd32.exe/i and
not $s1 in (filesize-2500..filesize)
and not 1 of ($fp*)
}
rule Fake_FlashPlayerUpdaterService_EXE