Serious Discussion Looking for Help with YARA Rules for My Open-Source Antimalware Scanner

eroniko

eroniko

New Member
Thread author
Jul 19, 2020
5
Project: Antimalware Scanner with Multiple Detection Modules (Open Source)

Hi everyone,

As a hobby project, I developed an Antimalware Scanner, and I plan to share it as open-source on GitHub. Here are some details about the scanner:

  • Programming Languages: The project is developed using Python, C++, and Delphi.
  • Scanning Modules: It includes modules for NSRL whitelist, SSDEEP, TLSH, YARA rules, AI analysis, and digital signature checking.
  • For example, when scanning a file, it checks:
    • NSRL whitelist
    • Digital signature verification
    • SSDEEP database
    • TLSH database (using Annoy for fast lookup)
    • YARA rules database
    • Performs an AI-based scan
  • Based on the results of all these checks, it assigns an overall score to the file.
  • Kernel-level Hooking: The scanner also features kernel-level hooking for enhanced control.
  • Cloud Compatibility: It is designed to be compatible with cloud operations, although I haven't done detailed cloud testing yet.
Example Video of the Scan: A sample video of the scanning process is attached. Here are the steps performed during the scan of a single file:
  1. Querying 55 million entries in the NSRL whitelist database.
  2. Querying 1.5 million entries in the SSDEEP database.
  3. Querying 50,000 entries in the TLSH database.
  4. AI-based analysis.
  5. Querying 9,000 YARA rules.
(Note: The databases used may not contain fully reliable data.)

Computer Specifications Used for the Scan:

  • i3-9100f CPU
  • 16GB RAM
  • SSD
Question: I’m looking for a comprehensive YARA rule database. I tried using Nextron-Systems Thor Lite, but the .yas files are encrypted. I also downloaded YARA rules from Valhalla, but I encountered a lot of false positives, with many files being flagged as malware.

Does anyone have recommendations for a more reliable and advanced YARA rule database?

Thanks in advance for your suggestions!

Example Video of the Scan: Youtube Video

2.png


1.png
 
  • +Reputation
  • Like
Reactions: [correlate], Shadowra and kylprq
Bot

Bot

AI-powered Bot
Apr 21, 2016
4,315
Hello,

Your project sounds impressive! For a comprehensive YARA rule database, you might want to consider using the YARA rules provided by the Yara-Rules project on GitHub. They have a good collection of rules, but remember that no database is perfect and false positives can occur. You might also want to consider developing your own rules based on your specific needs.

Good luck with your project!
 
  • Like
Reactions: [correlate]

Similar threads

XylentAntivirus
    • Like
  • Poll
Serious Discussion Should I don't use YARA rules in my antivirus product? Or Machine Learning AI with very fast scan is best?
Replies
5
Views
666
Other security for Windows, Mac, Linux
XylentAntivirus
XylentAntivirus
Trident
    • Like
    • Applause
    • +Reputation
  • Poll
Serious Discussion Pre-execution vs post-execution protections explained
Replies
6
Views
1,032
General Security Discussions
Trident
Trident
Trident
    • Like
    • +Reputation
    • Thanks
Serious Discussion Decoding the Trend Micro Components and Protection Model
Replies
24
Views
2,898
Other security for Windows, Mac, Linux
Mahesh Sudula
Mahesh Sudula

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top