cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
sfan
Level 8
Report Inappropriate Content
Message 1 of 5
‎06-29-2020 08:21 AM

Some questions about the YARA rules

We would like to enable "Custom Yara Scanner" in our ATD 4.8.0.17. for my understanding, we may need to manually upload custom Yara Rules in Manager -->Image&Software--> Content Update -->YARA Rules, Then enable the “Custom Yara Scanner” in the Policy --> Analyzer Profile.  And we would like to upload the rules in the following link. 

https://github.com/advanced-threat-research/Yara-Rules

Here is our questions.

1. What benefits we could get when enabling the Custom Yara Scanner?

2. There are quite some rules in the above Github link, do we have to upload those Yara rule one by one?  If we only can upload Yara rule one by one, then how many rules in total that can be uploaded? And how could we maintenance those uploaded Yara rules when the rules get some change or need to be deleted.

3. As mentioned by the Product guide,  What is the difference between "Custom Yaya Scanner" and the "Internal Yara Rules"? If we did not enable the "Custom Yaya Scanner" whether Mcafee ATD will still process the sample files by scanning the "Internal Yara Rules"? Whether this :internal Yara Rules" will be updated by the ATD content package or software update?  

https://docs.mcafee.com/bundle/advanced-threat-defense-4.8.x-product-guide/page/GUID-807217CE-5A42-4...

"Assuming you have enabled all analyze options with custom YARA rulesAdvanced Threat Defense processes the sample files and URLs in the following order of priority:

  1. Global Whitelist
  2. Local blacklist
  3. McAfee GTI
  4. McAfee Gateway Anti-Malware Engine
  5. McAfee Anti-Malware Engine
  6. Custom Yara Scanner
  7. Dynamic Analysis
  8. Custom Behavioral Rules — User-managed YARA rules.
  9. Internal YARA rules — Internal YARA rules that are defined by McAfee and updated during Advanced Threat Defense software upgrades. You cannot view or download these rules."

Many Thanks!

1 person had this problem.
Reply
4 Replies
hsadi
Employee
Employee
Report Inappropriate Content
Message 2 of 5
‎07-01-2020 03:03 AM

Re: Some questions about the YARA rules

Hi Sfan,

1.What benefits we could get when enabling the Custom Yara Scanner?

Answer: Custom Yara Scanner is available as a static analysis option with no dependency on dynamic analysis. These rules are user-defined, written to identify any specific pattern in a file. Custom Yara Scanner serves as an analyzing option in analyzer profile before analysis.

2. There are quite some rules in the above Github link, do we have to upload those Yara rule one by one? If we only can upload Yara rule one by one, then how many rules in total that can be uploaded? And how could we maintenance those uploaded Yara rules when the rules get some change or need to be deleted.

Answer: You can copy n numbers of rule in one .yara file and upload it as Custom Yara scanner file. You can manually modified/delete the rule and upload the modified file again.

• For demonstration I copied all the rules mentioned in above git link to 1 .yara file. There could be few module which are currently not supported in ATD, you will get an error while uploading for such rules after removing them, I got around 139 rules. Now you can upload your custom Yara scanner .After enabling Custom Yara Scanner in Analyzer Profile, you can start submitting samples. I submitted a sample from the git link provided by customer. Please refer attached report <Custom_yara_sample.pdf> on how a report will look if Custom Yara rule get a hit.


3. As mentioned by the Product guide, What is the difference between "Custom Yaya Scanner" and the "Internal Yara Rules"?
Answer: Custom Yara Scanner serves as an analyzing option in analyzer profile before analysis whereas Internal Yara Rules are on dynamic analysis and hit on user api logs after/while the sample is analyzed.

4. If we did not enable the "Custom Yaya Scanner" whether Mcafee ATD will still process the sample files by scanning the "Internal Yara Rules"? Whether this :internal Yara Rules" will be updated by the ATD content package or software update?

Answer: Yes Internal Yara Rules will be applicable if sandbox is selected. We update and add new rules every month and is delivered to customer via Content package.

Reply
sfan
Level 8
Report Inappropriate Content
Message 3 of 5
‎07-02-2020 06:46 AM

Re: Some questions about the YARA rules

Hi, there

Thanks a lot for your kind reply.  But i did not find the attached report <Custom_yara_sample.pdf>. Could you please reattached it?

Many Thanks,

Regards,

Shelly

 

0 Kudos
Reply
hsadi
Employee
Employee
Report Inappropriate Content
Message 4 of 5
‎07-02-2020 09:15 AM

Re: Some questions about the YARA rules

Hi Sfan,

Here it is.

Regards,

0 Kudos
Reply
SWISS
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 5
‎05-10-2023 12:15 AM

Re: Some questions about the YARA rules

Hello together,

 

The question could be from us. Thank you posting these in detail and i would like to mention that the parts is not mentioned in documentation (Maybe newer one we have the ATD since around 7 years)

I was just doing the detection package 09.05.2023 as per SNS. I started checking the first "change" and the mentioned ransomware was first seen 2019. It may be a new variant or simply it did not catch from 2019. Then the second thing the vbscript without .vbs extension? We discussed that once in a remote session we can remember but that was in 2014?

For the YARA rules, it's maybe clear that we can't discuss such things here but where else?

You mention that you update the YARA rules built in every 30 days? How about 0-day which is 75% of the market?

We also had the same problem with the process of as example uploading the hourly yara collection from abuse.ch. From the 101 yara rules 3 failed. You upload, check the logs, remove the invalid .yar file merge, upload re-check. Sure we could pre-check those with some scripts on separate machine.

Here again how should we automate this for a 1000+ box not a 10'000 box company with 24/7 OPS as reseller?

Main question we have:

As example from today YARA abuse.ch rules 101. How many are built in if we updated everything we can what Trellix supplies dated 10.05.2023. I mean how many built in yara rules and how many should or have we on our side (Because of TOO risky for all customers) integrate manual. What if they are DOUBLE and performance negative?

Any help welcome.

Greetings from Switzerland

 

 

 

 

 

 

 

 

 

 

 

Greetings from Switzerland
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC