All the YARA rules in Dr.Web vxCube follow the standard format:
rule RuleName1 : TAG1 TAG2 { meta: maliciousness = "neutral"
strings: $s = "SomeString"
condition: $s } |
Every rule begins with the keyword rule followed by a rule name. A rule name must only contain Latin letters, digits, and underscores, and must not begin with a digit. Then, after a colon, you could specify tags. They will be included in the report if this rule is triggered during the file analysis. A tag, like a rule name, must not start with a digit. Then a body rule follows. It can contain three sections:
•The required meta section specifies the maliciousness type (the maliciousness field) that will be set for the file if the rule is triggered. The possible values for the field: maliciousness: neutral, suspicious, malware.
•In the required condition section, a condition is set. If the condition is met, the rule will be triggered.
•In the optional strings section, the strings that used in the rule are specified.
1.At the top of the Dr.Web vxCube main page, click YARA rules.
2.Click 
Add. The window containing a rule example code appears.
3.Edit the code to include the rule options you want.
4.Click Add.
Figure 8. Add rule window