cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 8
Report Inappropriate Content
Message 1 of 4

Some questions about the YARA rules

We would like to enable "Custom Yara Scanner" in our ATD 4.8.0.17. for my understanding, we may need to manually upload custom Yara Rules in Manager -->Image&Software--> Content Update -->YARA Rules, Then enable the “Custom Yara Scanner” in the Policy --> Analyzer Profile.  And we would like to upload the rules in the following link. 

https://github.com/advanced-threat-research/Yara-Rules

Here is our questions.

1. What benefits we could get when enabling the Custom Yara Scanner?

2. There are quite some rules in the above Github link, do we have to upload those Yara rule one by one?  If we only can upload Yara rule one by one, then how many rules in total that can be uploaded? And how could we maintenance those uploaded Yara rules when the rules get some change or need to be deleted.

3. As mentioned by the Product guide,  What is the difference between "Custom Yaya Scanner" and the "Internal Yara Rules"? If we did not enable the "Custom Yaya Scanner" whether Mcafee ATD will still process the sample files by scanning the "Internal Yara Rules"? Whether this :internal Yara Rules" will be updated by the ATD content package or software update?  

https://docs.mcafee.com/bundle/advanced-threat-defense-4.8.x-product-guide/page/GUID-807217CE-5A42-4...

"Assuming you have enabled all analyze options with custom YARA rulesAdvanced Threat Defense processes the sample files and URLs in the following order of priority:

  1. Global Whitelist
  2. Local blacklist
  3. McAfee GTI
  4. McAfee Gateway Anti-Malware Engine
  5. McAfee Anti-Malware Engine
  6. Custom Yara Scanner
  7. Dynamic Analysis
  8. Custom Behavioral Rules — User-managed YARA rules.
  9. Internal YARA rules — Internal YARA rules that are defined by McAfee and updated during Advanced Threat Defense software upgrades. You cannot view or download these rules."

Many Thanks!

3 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Some questions about the YARA rules

Hi Sfan,

1.What benefits we could get when enabling the Custom Yara Scanner?

Answer: Custom Yara Scanner is available as a static analysis option with no dependency on dynamic analysis. These rules are user-defined, written to identify any specific pattern in a file. Custom Yara Scanner serves as an analyzing option in analyzer profile before analysis.

2. There are quite some rules in the above Github link, do we have to upload those Yara rule one by one? If we only can upload Yara rule one by one, then how many rules in total that can be uploaded? And how could we maintenance those uploaded Yara rules when the rules get some change or need to be deleted.

Answer: You can copy n numbers of rule in one .yara file and upload it as Custom Yara scanner file. You can manually modified/delete the rule and upload the modified file again.

• For demonstration I copied all the rules mentioned in above git link to 1 .yara file. There could be few module which are currently not supported in ATD, you will get an error while uploading for such rules after removing them, I got around 139 rules. Now you can upload your custom Yara scanner .After enabling Custom Yara Scanner in Analyzer Profile, you can start submitting samples. I submitted a sample from the git link provided by customer. Please refer attached report <Custom_yara_sample.pdf> on how a report will look if Custom Yara rule get a hit.


3. As mentioned by the Product guide, What is the difference between "Custom Yaya Scanner" and the "Internal Yara Rules"?
Answer: Custom Yara Scanner serves as an analyzing option in analyzer profile before analysis whereas Internal Yara Rules are on dynamic analysis and hit on user api logs after/while the sample is analyzed.

4. If we did not enable the "Custom Yaya Scanner" whether Mcafee ATD will still process the sample files by scanning the "Internal Yara Rules"? Whether this :internal Yara Rules" will be updated by the ATD content package or software update?

Answer: Yes Internal Yara Rules will be applicable if sandbox is selected. We update and add new rules every month and is delivered to customer via Content package.

Highlighted
Level 8
Report Inappropriate Content
Message 3 of 4

Re: Some questions about the YARA rules

Hi, there

Thanks a lot for your kind reply.  But i did not find the attached report <Custom_yara_sample.pdf>. Could you please reattached it?

Many Thanks,

Regards,

Shelly

 

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Some questions about the YARA rules

Hi Sfan,

Here it is.

Regards,

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community