From 194652300651ff8213557b7fa144d162d295b79f Mon Sep 17 00:00:00 2001 From: Piotr Szczepanski Date: Tue, 2 Jun 2020 11:14:33 +0200 Subject: [PATCH] Remove too broad YARA rules for VMProtect packer detection. These patterns are very common in regular files and do not indicate the presence of VMProtect packer. In cpdetect module there is a heuristic check that verifies the same code alongside additional checks to ensure the detected packer is correct. --- .../yara_patterns/tools/pe/x86/packers.yara | 22 ------------------- 1 file changed, 22 deletions(-) diff --git a/support/yara_patterns/tools/pe/x86/packers.yara b/support/yara_patterns/tools/pe/x86/packers.yara index 6c769a41e..12a34d7c6 100644 --- a/support/yara_patterns/tools/pe/x86/packers.yara +++ b/support/yara_patterns/tools/pe/x86/packers.yara @@ -16747,28 +16747,6 @@ rule visual_protect_uv { $1 at pe.entry_point } -rule vmprotect_uv_01 { - meta: - tool = "P" - name = "VMProtect" - pattern = "68????????E8??????00" - strings: - $1 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? 00 } - condition: - $1 at pe.entry_point -} - -rule vmprotect_uv_02 { - meta: - tool = "P" - name = "VMProtect" - pattern = "68????????E8??????FF" - strings: - $1 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? FF } - condition: - $1 at pe.entry_point -} - rule vmprotect_07x_08 { meta: tool = "P"