On Sun 12/Aug/2018 14:04:06 +0200 Arnaud Jacques wrote:
>
>
> Le 12/08/2018 à 13:59, Alessandro Vesely a écrit :
>> On Sat 11/Aug/2018 19:43:34 +0200 G.w. Haywood wrote:
>>
>>> Hi there,
>>>
>>> On Sat, 11 Aug 2018, Alessandro Vesely wrote:
>>>
>>> Re: Keymarble Yara rule?
4d 5a 7
On Mon 13/Aug/2018 00:27:55 +0200 Al Varnell wrote:
> I don't quite understand why you think it might not detect it.
>
> Text strings are not required to have an even number of digits. The hex
> equivalent to that string would be: {62 63 39 [...] 34 30}. As
> long as the string appears in a file
Same here. I agree this rule is causing too many FPs to remain active.
Therefore I ended up whitelisting this rule.
> I now only run in report mode and not delete mode
I don't understand the whish to leave the decision of data destruction
to a third party software. My system should follow my rul
Sorry, I wasn't clear. I meant the malware sample, not your dummy.
-Al-
On Tue, Aug 14, 2018 at 11:24 AM, Alessandro Vesely wrote:
> On Mon 13/Aug/2018 00:27:55 +0200 Al Varnell wrote:
>
>> I don't quite understand why you think it might not detect it.
>>
>> Text strings are not required to ha
