About YARA Rules
YARA is an open-source malware analytic tool that the FireEye Malware Analysis appliances support. YARA rules help analysts identify and classify malware samples by creating groups of malware families based on byte-level rules to quickly analyze large quantities of files for matches. If the analysts identify a suspicious byte pattern, they can create a new YARA rule to identify likely malicious files. YARA integration results report whether an unknown file has been previously classified as malicious.
YARA rules are written and uploaded to the Malware Analysis appliance as ASCII text files. The use of YARA rules is enabled by default.
You can define YARA rules that are specific to a particular file type, such as pdf, exe, or docx, or common rules that apply to all file types.
You can define the following content types:
- Base content—Allows the Malware Analysis appliance to apply the YARA rule to a particular file type or to all common file types. The appliance does not extract the macro from the attachment.
- Active content—Allows the Malware Analysis appliance to apply the YARA rule to DOC, DOCX, PPT, PPSX, PPTX, XLS, XLSX, or common file types. The appliance extracts the macro from the attachment for analysis.
- Base content and Active content—Allows the Malware Analysis appliance to apply the YARA rule to DOC, DOCX, PPT, PPSX, PPTX, XLS, XLSX, or common file types. The appliance analyzes the attachment and extracts the macro from the attachment for analysis.
|
For information about the supported YARA version for your release, see the Release Notes. |
FireEye appliances identify the file type of a suspicious sample file and then apply YARA rules to a collection of files in the following order:
- YARA rules that apply to common (all supported) file types
- FireEye YARA rules specific to a selected file type
- Custom YARA rules that apply to common (all supported) file types
- Custom YARA rules specific to a selected file type
You can create your own YARA rules or use the rules that FireEye provides. By default, every custom YARA rule has an integer weight associated with it, ranging from 0 to 100. During static analysis, when a YARA rule match is made, the weight of the matched rule is added to the overall score of the file deemed malicious. As more YARA rules are matched, the rule with the highest weight is used. If no weight is provided for a YARA rule, the default YARA weight is used.
Alerts are generated when the YARA rule match weight reaches 100. You can also set riskware policy rules to generate riskware alerts when weights are between 0 and 99.
Unsupported File Types
YARA rules are not supported on this appliance for the following file types:
Custom YARA rules for base content do not support compressed file types, such as docx, ppsx, pptx, and xlsx.
Supported File Types
| Starts With | File Types |
|---|---|
| Numeral | 3gp, 7zip |
| A | a3x, ace, acrobatsecuritysettings, ahk, alz, apk, app, applet, arj, asf, au3, avi |
| B | bat, bz2 |
| C | cab, cdf, chm, cmd, com, com1, csv |
| D | dll, dmg, doc, docm, docx, dual, dylib |
| E | eeml, eg, ehdr, elf, eml, empty, exe |
| F | fdf, flv |
| G | gen, gif, gz |
| H | hlp, hml, hta, htm, hwp, hwt |
| I | ico |
| J | jar, jpeg, jpg, js, jsp, jtd |
| L | lnk, lzh |
| M | mach-o, mht, mhtml, midi, mov, mp3, mp4, mpg, mpkg, msg, msi, mso |
| O | one |
| P | pdf, php, pkg, pl, png, pps, ppsx, ppt, pptx, ps1, pub, py |
| Q | qt |
| R | rar, rb, rm, rmi, rtf |
| S | scf, sct, sh, swf |
| T | tiff, tnef |
| U | unk, url, url-applet, uue |
| V | vbs, vcf, vcs |
| W | wav, war, wma, wsf |
| X | xdp, xls, xlsx, xml, xor, xps, xsl |
| Z | zip |