Managing YARA Rules |
Dr.Web vxCube provides advanced capabilities for working with YARA rules. In the meta section, you can specify file behavior category to be displayed in the report if the rule matches. To create rules that are triggered on certain file behavior, you can use the dr_sandbox module. 1.Click . The window with sample rule code appears. 2.In place of RuleName1 enter the rule’s name using letters, digits, or underscore. 3.Change TAG1 and TAG2 tags to your desired tags if necessary. They will be included in the report if this rule is triggered during the analysis. 4.Specify the file behavior category that will be assigned to the file if the rule is triggered. Possible values: "neutral", "suspicious", "malware". 5.Add other parameters and conditions for the rule. 6.Click . Figure 9. Add rule window To disable or enable a rule •Point at the rule and click . To edit a rule •Point at the rule and click . To delete a rule •Point at the rule and click . To set a number of rules displayed on one page •Click the drop-down menu below the table. To sort rules •Click the corresponding column title. To filter rules •Enter your query in the search box. Search is done through names, tags and last matched columns. •Next to the table name, you can choose to display system, user, or all rules. |