antidebug_antivm.yar contains rules unrelated to antidebug and antivm

Question

antidebug_antivm.yar contains rules unrelated to antidebug and antivm

knowmalware opened this issue 7 years ago · 2 comments

Some of the rules in the antidebug_antivm.yar file look unrelated to anti-analysis. From inject_thread down, except for check_patchlevel and vmdetect_misc

Answer 1 · 2018-05-11T01:40:59.000Z

I propose a new Capabilities rule set that contains the rules that are not anti-analysis related. This rule set would be used for rules that identify capabilities of a file, for example network communication or bitcoin related. This provides a way to accept rules that do not cleanly fit in other rule sets in the repository.

Answer 2 · 2019-02-26T15:16:29.000Z

Could you propose a pull request with the changes?

Thanks.