Vt.metadata.analysis_stats.malicious > 1 and vt.metadata.file_type = vt.FileType.PE_EXE The vt module exposes all the metadata that VirusTotal has about a file to YARA, so that you can create Livehunt rules based on that metadata. These variables have been deprecated, but they will continue to work and are still documented in the Legacy variables section. The vt module replaces the previous mechanism for exposing file's metadata based in custom variables like signatures, positives, file_name, and so on. This module contains metadata like antivirus signatures, file type, file behavior, submitter, etc. In order to expose all the information that VirusTotal have about the file being scanned we have created a custom YARA module named vt. All these cases, and many more, can be expressed in your YARA rules.
For example, you may want to create a rule that only applies to a certain file type, or files that are detected by at least one antivirus, or perhaps you are only interested in files that are submitted to VirusTotal for the first time or from a given country. Sometimes you may need to create rules that leverage additional information that VirusTotal has about the file. Most YARA rules are based in patterns found inside the files themselves, however this is not always enough. Keep reading for more information about this module. In addition to the standard modules enumerated above, you can also the vt module, which was specifically created for Livehunt and exposes additional information about the file being scanned. Standard modules currently supported are: pe, elf, math, magic, hash, cuckoo, and dotnet. You can not use include statements in your rules. Such rules are usually very slow and degrade the service both for you and the rest of the users. Rules for which YARA raise performance warnings are not accepted by Livehunt.
However, there are a few things that you need to know while creating YARA rules specifically tailored for Livehunt. Livehunt uses an up-to-date version of YARA, which means that the latest YARA documentation is usually the place to go for a detailed description of the language and its features.
0 kommentar(er)
