Now that V12.1 is available, I wanted to share with you a featured YARA rule set that can give you on-demand scanning for some top ransomware threats.
Attached to this post is a file named: Top10RW_YARArules.zip. In this file are YARA rules for some common ransomware threats that have been seen recently:
“YARA Forge specializes in delivering high-quality YARA rule packages for immediate integration into security platforms. This tool automates the sourcing, standardization, and optimization of YARA rules from a variety of public repositories shared by different organizations and individuals. By collating these community-contributed rules, YARA Forge ensures that each package meets rigorous quality standards, offering a diverse and comprehensive rule set.”
Thank you @Rick Vanover everything seems okay.
uploaded C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules
Launched scan yara medusa no error at the moment. Thanks for sharing.
Tested in my lab and it worked great. (minimal CPU available and a pretty small backup set)
I’m excited to get more into Yara rules and look forward to posting some writeups and new rules for people to try on here.
“YARA Forge specializes in delivering high-quality YARA rule packages for immediate integration into security platforms. This tool automates the sourcing, standardization, and optimization of YARA rules from a variety of public repositories shared by different organizations and individuals. By collating these community-contributed rules, YARA Forge ensures that each package meets rigorous quality standards, offering a diverse and comprehensive rule set.”
Trying the core ruleset tonight!
Hello,
Thanks for sharing it @Rick Vanover
I’m sorry but I ‘m not sure to understand really what YARA rules are for ?
I need to select 1 rule like “test eicar” for VBR to scan file backup and say me yes there is eicar on this file backup ?
I’m sorry I don’t know anything about it but not sure I understand the benefits when I compare to other new 12.1 feature like inline detection (I don’t have to create any rules) or suspicious activity detection ? Thanks for your explanations :)
The yara file adonunix alerts a lot of false positives, primarily it detects windows update packages as threats. Is this supposed to happen, or I should worry about it?
The yara file adonunix alerts a lot of false positives, primarily it detects windows update packages as threats. Is this supposed to happen, or I should worry about it?
Hi @mmalarino → Yes, windows update have also hit a lot of false positive for massive encryptions also. We are tuning the logic often. Stay tuned. And welcome to the Veeam community :)
@Rick Vanover thanks for the rules and the chance for a test. I'll be looking forward for more info!
