Yara Rule QA: Can’t I Write Code to do This for Me?

Presented at DerbyCon 6.0 Recharge (2016), Sept. 25, 2016, 11 a.m. (50 minutes)

Yara is a powerful scanning tool that uses signatures to detect threats. It has quickly become a staple of many IT security programs. They can be used to find new samples with VirusTotal hunting, to scan endpoints, to detect malware families during sandbox or manual analysis, and for whatever other use you can come up with. New malware intelligence usually has a yara rule for detection of the malicious code, and there are many public groups that share yara rules so you need not create your own for each new threat. Accepting public rules into your own tools and environment creates some issues, though. Will the rule run with your tool (version issues)? Is the rule written efficiently (performance issues)? Will the rule compile or have a high True Positive/ False Positive ratio (quality issues)? Do different collections of rules have overlapping signatures (duplication issues)? This talk will discuss problems with accepting publicly available yara rules into your own tools and environment, and share code with mitigating these issues.


Similar Presentations: