Overview
Malwatch uses yara for rules. The terms signature and rule can be used interchangeably. The format of a basic yara rule is included as an example below:
rule eicar
{
strings: $s1 = "$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!"
condition: $s1
}
Each rule has attributes, most commonly thse which are necessary such as the name, strings (in our use case) and condition. Additional information related to yara is available at YARA Documentation
Paths
| Path | Description |
|---|---|
| tmp/sigs | Repo Downloads |
| sigs/src | Source Files |
| sigs/index.yara | Index |
| sigs/yara.compiled | Bytecode (Compiled Ruleset) |
Updates
cmd: malwatch signatures update
There are two ways to update signatures:
- Clone from
gitrepo. - Manually update (perhaps with automation such as
ansible).
Our official signature base is available to the public for free on GitHub at https://www.github.com/defended-net/malwatch-signatures and is preconfigured as default.
We purposely did not include http based signature updates because there is lack of transparency and change control for end users. A malicious ruleset would harm those with quarantine or exile as default actions! There is no reliable change accountability. If your current malware scanner does updates this way, please carefully consider these scenarios.
Refreshes
cmd: malwatch signatures refresh
A signature refresh does not perform a signature base download, it rather compiles a new yara.compiled file based off signature source files referenced in index.yara.
False Positives
False positives are unavoidable when threat hunting. The actions feature can be used to whitelist directories, files and even entirely disable should any not be needed.
The official malwatch signature base has been tested against popular scripts to at least help reduce false positives.
Managed Signatures
Do you or your organisation need a professionally managed signature base fully customised to your threat profile? Contact us for direct to engineer service.