On the 27th of November Bitdefender announced General Availability (GA) for YARA rules capabilities to GravityZone. With the addition of YARA rules into the GravityZone platform, security teams are empowered to create finely tuned and organization-specific detection patterns. This not only strengthens your organization’s ability to detect known threats but also increases its resilience against emerging risks such as zero-day vulnerabilities and sophisticated malware variants.
YARA Rules
YARA stands for Yet Another Recursive Acronym and was developed by Victor Alvarez. YARA rules are a pattern-matching mechanism used for identifying and classifying data or files based on specified conditions. These conditions are written in a specialized YARA rule language, allowing for precise and customizable detection rules. When a system scans files or data, it checks them against these rules to identify matches, triggering specific actions or alerts when a match is found. YARA rules are like digital detectives’ instructions. They tell an agent on the computer what to look for in files or data. If the agent finds a match, it can sound an alarm. YARA rules can be valuable assets for:
- Zero-day Detection: Security teams can create rules that detect vulnerable software that was not patched by the manufacturer or malware that tries to exploit it
- Threat Hunting: Yata rules can be used for proactive threat hunting by searching for specific patterns, and IoC (Indicators of Compromise) to identify threats that may have gone undetected by traditional security tools.
- Customer Security Policy: YARA rules can be used to enforce specific policies, for example blocking files with specific characteristics.
- Forensic and Incident Response: YARA rules can be applied to identify files/artifacts associated with known threats to identify and stop security incidents.
- Signature-based Detection: administrators can create signatures for known malware to scan for specific patterns associated with malicious software.
Now you have the flexibility to create customs rules or acquire pre-existing ones from various publicly accessible repositories. Security experts and professionals frequently distribute YARA rules for recently identified threats on social media platforms such as Twitter or Reddit. Additionally, these YARA rules can be freely accessed and downloaded from repositories like GitHub or specialized vendors, some of whom may provide their YARA rules as part of paid subscription services.
With Bitdefender GravityZone, you receive YARA available for Microsoft, macOS and Linux operation systems under an EDR subscription. The configuration is available directly in GravityZone under Custom detection rules.
The YARA rule operates in two modes On-Access and On-Demand.
On-access scanning generates incidents and alerts based on the rules that match the configured file pattern. For example, if a YARA rule is designed to detect a specific malware signature within files, on-access scanning would trigger an alert whenever a file with the matching signature is accessed or executed in real-time by any user or process.
On-Demand is a manual scan that generates alerts in the History search section and scan log within the Endpoint details. For instance, if you wish to conduct a scan of the entire disk or specific folders to search for IOC such as a specific file hash, they have the flexibility to initiate this scan at any time.
It is important to note that both modes operate strictly in a “Report only” capacity.
You have full capabilities to review the incident generated by YARA rules under the Incidents sections in GravityZone.
Summary
With YARA rules integration into GravityZone, we are enhancing XDR capabilities for customized threat detection patterns.
With flexibility and customizable YARA rules your security analysts can proactively identify and thwart malicious activity, thereby mitigating the risks associated with data breaches, zero-day vulnerability and advanced malware.
Learn more about Bitdefender GravityZone.