I run several rulesets using the VirusTotal "hunting" feature and I use private YARA rules to filter out false positives. For example:
private rule isDex
{
meta:
description = "To filter out DEX files that fire many FPs"
strings:
$magicbytes = {64 65 78 0A}
condition:
$magicbytes at 0
}
I refer to this rule with a not statement in another rule. This works as intended, I no longer get alerted on DEX files containing the strings I match on.
But another rule, that I refer to using the and statement, is being ignored. I also wrote another ruleset using that rule and I get the same results - the private rule is ignored and I am alerted on files matching the $a string, but not satisfying the isClassified rule
global private rule isClassified
{
meta:
description = "to detect files with classification label"
strings:
$p1 = "internal only" ascii wide nocase fullword
$p2 = "confidential" ascii wide nocase fullword
$p3 = "private" ascii wide nocase fullword
$p4 = "secret" ascii wide nocase fullword
condition:
any of them
}
rule DLFakeCompanyName
{
meta:
date = "2017-02-20"
state = "edited 2x, testing"
//to do: check for datasize, file format, keywords
strings:
$a = "fakecompanyname" nocase ascii wide fullword
condition:
any of them
}
I tried both options, global private and just private, no difference. VT detects no syntax errors in neither of the rulesets. I have never encountered this problem before, and that's why it confuses me - some private rules are accepted but others are ignored.
Is this an issue with VirusTotal (that's the only place where I use YARA rules) itself? Or am I missing something while writing the rules?
I eventually contacted VT support regarding this and apparently I missed a thing.
Since the rule is private, the strings it matches are not getting highlighted in the VT intelligence preview, only the strings from DLFakeCompanyName are highlighted. But both rules are actually met, if one checks the matched files manually.