/YaraFileCheckerLib

Primary LanguageYARAMIT LicenseMIT

yara_file_cheсker

the library is designed to make it easier to check potentially malicious files and archives using YARA and make a decision about their harmfulness based on the weights of the detected rules

Config:

  • FileSizeLimitKb: !!int // limit: limit of summary checked files size (archived files included)
  • ArchiveDepthLimit: !!int // limit: how many nested archives we can check
  • ProcessingTimeLimitMs: !!int // limit: how much time to wait until stoping check
  • FilesCountLimit: !!int // limit: how many files in archive we can check
  • DangerousThreshold: !!int // setting: threshold, after reaching which (based on the sum of the weights of the yara rules that matched during file processing) a decision is made that the file is malicious and processing stops
  • YaraRuleScoreDefault: !!int // setting: the weight of the yara rule, unless otherwise specified in the score_ tag
  • ScanArchives: !!bool // setting: whether to scan archives. the 7z.dll library is required in the Resources folder
  • FastScan: !!bool // setting: yara fast scan
  • ArchiveFileTypes: array // setting - list of archive file extensions
  • ExecutableExtensions: array// setting - list of executable file extensions

Using:

var log = new SynchronousConsoleLog(); 
var fileChecker = new FileChecker();
var fileBytes = ReadFileBytes(sampleFilePath);
var fileObject = new FileObject(fileBytes, sampleFilePath); 
var scanMode = FileChecker.ScanMode.Mid; 
/*
rules from:
- Lite -  Resources/YaraRules/Lite
- Mid - Lite + Resources/YaraRules/Mid
- Hard - Mid + Resources/YaraRules/Hard
- Custom - Resources/YaraRules/custom. 
*/

var result = fileChecker.CheckFile(fileObject, scanMode, log); // FileScanResult со следующими свойствами%
/*
    ScanSuccessful - is scan successful (if not - check AdditionalInfo)
    YaraResults - list of ScanResult https://github.com/microsoft/libyara.NET/blob/master/libyara.NET/ScanResult.h
    AdditionalInfo
    FileName - file name/ filenames delimited with | in case of checking archives
    MatchedRules - list of matched rules names
    Executable - is executable/ archive contains one or more executables
    TotalScore - summ of yara rule scores (from tag score_XXX or from YaraRuleScoreDefault in config)
    Dangerous - is DangerousThreshold reached
*/