[clamav-users] WannaCry Homeland Security yara script. False positives?

[Al Varnell]

I'm pretty certain that attachments are remove to prevent malware samples from being distributed here. Need a link to a server of some sort, such as PasteBin.

Sent from Janet's iPad

-Al-
-- 
Al Varnell
Mountain View, CA

On May 17, 2017, at 2:45 PM, Mark Foley wrote:

> Perhaps I'm missing it, but I didn't see any attachment.
> 
> --Mark
> 
> On 5/17/2017 1:46 PM, João Gouveia wrote:
>> Those rules are know for FP'ing a lot.
>> Here's a different set you might want to check, courtesy of ReversingLabs (
>> attached ).
>> 
>> On Wed, May 17, 2017 at 6:10 AM, Mark Foley wrote:
>>> I added the yara script published by Homeland security to the clamav
>>> database
>>> directory. I believe I am getting a substantial number of false positives
>>> on
>>> this including messages containing PDF and JPG attachments, the latter
>>> known to
>>> be OK.
>>> 
>>> $ clamscan "/home/HPRS/mpress/Maildir/.Sent Items/cur/1486141726.
>>> M192155P10931.mail,S=188385,W=191025:2,S"
>>> /home/HPRS/mpress/Maildir/.Sent Items/cur/1486141726.
>>> M192155P10931.mail,S=188385,W=191025:2,S:
>>> YARA.Wanna_Cry_Ransomware_Generic.UNOFFICIAL FOUND
>>> 
>>> ----------- SCAN SUMMARY -----------
>>> Known viruses: 6284977
>>> Engine version: 0.99.2
>>> Scanned directories: 0
>>> Scanned files: 1
>>> Infected files: 1
>>> Data scanned: 0.95 MB
>>> Data read: 0.18 MB (ratio 5.42:1)
>>> Time: 7.567 sec (0 m 7 s)
>>> 
>>> Is anyone else using this rule seeing this?
>>> 
>>> --Mark