Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Use Yara Rules in SEP 12.1.6?

  • 1.  Use Yara Rules in SEP 12.1.6?

    Posted May 13, 2016 12:52 PM

    I've just stumbled across these things called Yara rules. The way I understand it, they are rules that allow us to scan files and then identify the type of malware or if infact they are malware and then suggest classification. I see that Symantec already uses them. 

    So are they for identifying zero day exploits that Symantec has not yet released signatures for? If so, where would I enter Yara rules i get from a security bulletin? 

    Or am I completely wrong about what they are?



  • 2.  RE: Use Yara Rules in SEP 12.1.6?

    Posted May 13, 2016 01:00 PM

    Where did you see that for SEP? SEP custom IPS signatures use the SNORT syntax. YARA is just a tool to search for IOCs on a machine, but, it doesn't integrate with SEP in any way.



  • 3.  RE: Use Yara Rules in SEP 12.1.6?

    Posted May 13, 2016 01:28 PM

    Thanks Brian! Always one of the first to respond. 

    Towards the bottom: https://plusvic.github.io/yara/ (Who's using YARA)

    We were sent a security bulletin with several CVE's and Yara rules from a security audit firm. Their bullentin says to use Yara rules for network defense. I figured I could punch those in to Symantec somewhere but guess not.

     



  • 4.  RE: Use Yara Rules in SEP 12.1.6?

    Posted May 13, 2016 01:29 PM

    Never heard of such thing beings used in SEP



  • 5.  RE: Use Yara Rules in SEP 12.1.6?

    Posted May 13, 2016 01:33 PM

    Nope, unfortunately not.

    YARA is a standalone tool and doesn't integrate with SEP. Great tool though.



  • 6.  RE: Use Yara Rules in SEP 12.1.6?

    Posted May 13, 2016 01:37 PM

    So you install a Yara editor on a PC and create rules and then run the rules again a file to see if its infected?



  • 7.  RE: Use Yara Rules in SEP 12.1.6?

    Posted May 13, 2016 01:43 PM

    can i use symantec to block these files and how?

    Filename MD5 Notes:
    m64.exe
    3517b5d972955f86e02c5abe2a1693bd
    64-bit version of Mimikatz
    mimi_morph.exe


    afa6d09443ed9414e7ac395b77ec3144
    32-bit version of Mimikatz
    wu.ps1
    59cdaabe07f5ae504cc83def99fd7fe3
    PowerShell script to push out Mimikatz

    LogonUI.exe
    7170ea924e749b4c9e26120ba5e72264
    Python executable backdoor

    LogonUI.exe
    cc11b319bd53208649eb699045bd5053
    Unpacked executable



  • 8.  RE: Use Yara Rules in SEP 12.1.6?
    Best Answer

    Posted May 13, 2016 01:45 PM

    Yes, you can use an application control policy to block the hashes



  • 9.  RE: Use Yara Rules in SEP 12.1.6?
    Best Answer

    Posted May 13, 2016 01:46 PM

    Yea, you can download a windows version as well:

    https://plusvic.github.io/yara/

    I'd start with the documentation, it's pretty solid.



  • 10.  RE: Use Yara Rules in SEP 12.1.6?

    Posted May 20, 2016 01:56 PM

    Hey Brian, I created an application policy and blocked the md5 hashes in it and assigned it to a group. How can check on an individual client if that application policy has been update to the PC?



  • 11.  RE: Use Yara Rules in SEP 12.1.6?

    Posted May 20, 2016 02:30 PM

    On your SEP client go to Help >> Troubleshooting and under General Information will be the Policy Serial Number.

    You'll to compare that with the one in the SEPM to ensure they match.