Merge pull request #778 from avast/bug-vmprotect-too-broad-patterns

Remove too broad YARA rules for VMProtect packer detection.
avast · Jun 2, 2020 · 0fd0b6f · 0fd0b6f
2 parents 43de894 + 1946523
commit 0fd0b6f
Showing 1 changed file with 0 additions and 22 deletions.
diff --git a/support/yara_patterns/tools/pe/x86/packers.yara b/support/yara_patterns/tools/pe/x86/packers.yara
@@ -16747,28 +16747,6 @@ rule visual_protect_uv {
 		$1 at pe.entry_point
 }
 
-rule vmprotect_uv_01 {
-	meta:
-		tool = "P"
-		name = "VMProtect"
-		pattern = "68????????E8??????00"
-	strings:
-		$1 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? 00 }
-	condition:
-		$1 at pe.entry_point
-}
-
-rule vmprotect_uv_02 {
-	meta:
-		tool = "P"
-		name = "VMProtect"
-		pattern = "68????????E8??????FF"
-	strings:
-		$1 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? FF }
-	condition:
-		$1 at pe.entry_point
-}
-
 rule vmprotect_07x_08 {
 	meta:
 		tool = "P"