All the YARA rules in Dr.Web vxCube follow the standard format:
rule RuleName1 : TAG1 TAG2 { meta: maliciousness = "neutral"
strings: $s = "SomeString"
condition: $s } |
Every rule begins with the keyword rule followed by a rule name that should be entered using latin letters, digits, or underscore. Then, after a colon, you could specify tags. They will be included in the report if this rule is triggered during the file analysis. The rule body can contain three sections:
•The required meta section specifies the maliciousness type (the maliciousness field) that will be set for the file if the rule is triggered. The possible values for the field: maliciousness: neutral, suspicious, malware.
•In the required condition section, a condition is set. If the condition is met, the rule will be triggered.
•In the optional strings section, the strings that used in the rule are specified.
1.At the top of the Dr.Web vxCube main page, click YARA rules.
2.Click 
Add. The window containing a rule example code appears.
3.Edit the code to include the rule options you want.
4.Click Add.
Figure 8. Add rule window