Deep Discovery Email Inspector supports YARA rules that follow version 3.10.0 of the official specifications. YARA rules are stored in plain text files that can be created using any text editor.
For more information about writing YARA rules, visit the following site:
https://yara.readthedocs.io/en/v3.10.0/writingrules.html
A YARA rule file must fulfill certain requirements before it can be added to Virtual Analyzer for malware detection:
-
File name must be unique
-
File content cannot be empty
The following example shows a simple YARA rule:
rule NumberOne { meta: desc = "Sonala" weight = 10 strings: $a = {6A 40 68 00 30 00 00 6A 14 8D 91} $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9} $c = "UVODFRYSIHLNWPEJXQZAKCBGMT" condition: $a or $b or $c }
The following table lists the different parts of the YARA rule and how they are used:
Part |
Usage |
---|---|
rule |
The YARA rule name. Must be unique and cannot contain spaces. |
meta: |
Indicates that the "meta" section begins. Parts in the meta section do not affect detection. |
desc |
Optional part that can be used to describe the rule. |
weight |
Optional part that must be between 1 and 10 that determines the risk level if rule conditions are met:
Note:
The weight value does not correspond to the risk level assigned by Deep Discovery Email Inspector. |
strings: |
Indicates that the "strings" section begins. Strings are the main means of detecting malware. |
$a / $b / $c |
Strings used to detect malware. Must begin with a $ character followed by one of more alphanumeric characters and underscores. |
condition: |
Indicates that the "condition" section begins. Conditions determine how your strings are used to detect malware. |
$a or $b or $c |
Conditions are Boolean expressions that define the logic of the rule. They tell the condition under which a submitted object satisfies the rule or not. Conditions can range from the typical Boolean operators and, or and not, to relational operators >=, <=, <, >, == and !=. Arithmetic operators (+, -, *, \, %) and bitwise operators (&, |, <<, >>, ~, ^) can be used on numerical expressions. |