Author Topic: YARA signatures almost got detected by every antiviruses  (Read 2537 times)

0 Members and 1 Guest are viewing this topic.

Offline lichesssatrancturkiye

  • Jr. Member
  • **
  • Posts: 35
YARA signatures almost got detected by every antiviruses
« on: January 03, 2024, 02:14:43 PM »
Hello I collecting YARA rules but my YARA signatures are got detected. How can I fix that? I don't want hide them.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89230
  • No support PMs thanks
Re: YARA signatures almost got detected by every antiviruses
« Reply #1 on: January 03, 2024, 03:18:50 PM »
In order to help we need information and we/I can't talk about other antiviruses only if it is specific to Avast.  I have no idea what YARA rules or signatures are about.

If you are getting an Avast Alert what is the information contained in that alert.  You can attach a screenshot of the Alert window with the Details option selected.

Attaching Images to your post - When you Click the Reply button it opens a text window for you to post your comment (reply or post).
Click the Preview button, that shows what you have input and expands it to include 'Attachments and other options'. Click that it further expands, here you can attach images, etc. at the bottom of your post.
See my attached image, click to expand.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89230
  • No support PMs thanks
Re: YARA signatures almost got detected by every antiviruses
« Reply #3 on: January 04, 2024, 07:24:38 PM »
Unfortunately the VT link didn't provide the requested information (screenshot of the alert windows with the details option selected.), all it does is confirm Avast isn't alone in detecting this.

Quote from: lichesssatrancturkiye
How can I fix that? I don't want hide them.

I don't know what you mean by 'Fix' or what you mean by not wanting to 'Hide' them.

This may well just be a language issue Fix and Hide meaning something different to me.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89230
  • No support PMs thanks
Re: YARA signatures almost got detected by every antiviruses
« Reply #4 on: January 06, 2024, 02:27:31 AM »
A forum friend has updated me on what Yara is.

https://www.varonis.com/blog/yara-rules
Quote from: Extract
YARA rules are used to classify and identify malware samples by creating descriptions of malware families based on textual or binary patterns

https://virustotal.github.io/yara/
Quote from: Extract
YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic. Let's see an example:

I'm not surprised that Avast considers it suspect, it is very much the same as having a second active antivirus installed (detecting each others signatures).
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: YARA signatures almost got detected by every antiviruses
« Reply #5 on: January 26, 2024, 04:46:31 PM »
Probably you should start to use Arya: https://claroty.com/team82/research/arya-the-new-tailor-made-eicar-using-yara

This is advisable as commercial AV also will include Yara rules for detection.

You cannot have two dogs to watch over the porch, they won't watch the porch -
they will start to fight amongst each other! (e.g. mutual detection of signatures/detection rules).

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!