Merge pull request #778 from avast/bug-vmprotect-too-broad-patterns

s3rvac · web-flow · commit 0fd0b6f6e802 · 2020-06-02T13:52:54.000+02:00
Remove too broad YARA rules for VMProtect packer detection.
diff --git a/support/yara_patterns/tools/pe/x86/packers.yara b/support/yara_patterns/tools/pe/x86/packers.yara
@@ -16747,28 +16747,6 @@ rule visual_protect_uv {
 		$1 at pe.entry_point
 }
 
-rule vmprotect_uv_01 {
-	meta:
-		tool = "P"
-		name = "VMProtect"
-		pattern = "68????????E8??????00"
-	strings:
-		$1 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? 00 }
-	condition:
-		$1 at pe.entry_point
-}
-
-rule vmprotect_uv_02 {
-	meta:
-		tool = "P"
-		name = "VMProtect"
-		pattern = "68????????E8??????FF"
-	strings:
-		$1 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? FF }
-	condition:
-		$1 at pe.entry_point
-}
-
 rule vmprotect_07x_08 {
 	meta:
 		tool = "P"
