From 194652300651ff8213557b7fa144d162d295b79f Mon Sep 17 00:00:00 2001
From: Piotr Szczepanski <piotr.szczepanski@avast.com>
Date: Tue, 2 Jun 2020 11:14:33 +0200
Subject: [PATCH] Remove too broad YARA rules for VMProtect packer detection.

These patterns are very common in regular files and do not indicate the presence of
VMProtect packer. In cpdetect module there is a heuristic check that verifies the
same code alongside additional checks to ensure the detected packer is correct.
---
 .../yara_patterns/tools/pe/x86/packers.yara   | 22 -------------------
 1 file changed, 22 deletions(-)

diff --git a/support/yara_patterns/tools/pe/x86/packers.yara b/support/yara_patterns/tools/pe/x86/packers.yara
index 6c769a41e..12a34d7c6 100644
--- a/support/yara_patterns/tools/pe/x86/packers.yara
+++ b/support/yara_patterns/tools/pe/x86/packers.yara
@@ -16747,28 +16747,6 @@ rule visual_protect_uv {
 		$1 at pe.entry_point
 }
 
-rule vmprotect_uv_01 {
-	meta:
-		tool = "P"
-		name = "VMProtect"
-		pattern = "68????????E8??????00"
-	strings:
-		$1 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? 00 }
-	condition:
-		$1 at pe.entry_point
-}
-
-rule vmprotect_uv_02 {
-	meta:
-		tool = "P"
-		name = "VMProtect"
-		pattern = "68????????E8??????FF"
-	strings:
-		$1 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? FF }
-	condition:
-		$1 at pe.entry_point
-}
-
 rule vmprotect_07x_08 {
 	meta:
 		tool = "P"