Windows Defender reports YARA rules file as infected with Virus

Hi,
I’m a newbie to the ROCK world and was wondering if someone could shed some light on the following:

Windows Defender has reported that the file misc_hexascii_pe_in_html.yara is infected with “VBS/Ramnit.gen!A” virus. I assume this is because the file is used for malware pattern matching.
Any information is greatly appreciated.
Thanks
Mike

Funny, this is the 2nd time I’ve seen Windows Defender flagging on this kind of thing today.

That said, yes, this is flagging on the YARA conditions as this is just a text file.

On your CentOS box, you can run file misc_hexascii_pe_in_html.yara (which detects a Windows PE file in HTML) and your result should be something like this.

file misc_hexascii_pe_in_html.yara
misc_hexascii_pe_in_html.yara: unified diff output text, ASCII text
1 Like

Thanks Andy. I appreciate your response

1 Like