Comment out PEiD Armadillo v1.71 yara rules

This signature is a false positive
malice-plugins · Oct 30, 2018 · 0bedca3 · 0bedca3
1 parent a3774c9
commit 0bedca3
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 4 deletions.
diff --git a/rules/peid-userdb-rules-with-pe-module.yara b/rules/peid-userdb-rules-with-pe-module.yara
@@ -1519,7 +1519,8 @@ rule PEiD_00137_Armadillo_v1_60a_
         $a at pe.entry_point
 }
 
-rule PEiD_00138_Armadillo_v1_71_
+// Disabled due to false positives
+/*rule PEiD_00138_Armadillo_v1_71_
 {
     meta:
         description = "[Armadillo v1.71]"
@@ -1528,7 +1529,7 @@ rule PEiD_00138_Armadillo_v1_71_
         $a = {55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1}
     condition:
         $a
-}
+}*/
 
 rule PEiD_00139_Armadillo_v1_72___v1_73_
 {

diff --git a/rules/userdb_panda.yar b/rules/userdb_panda.yar
@@ -2794,15 +2794,16 @@ rule _aPack_v098_m_
 		$0
 }
 
-rule _Armadillo_v171_
+// Disabled due to false positives
+/*rule _Armadillo_v171_
 {
 	meta:
 		description = "Armadillo v1.71"
 	strings:
 		$0 = {55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1}
 	condition:
 		$0 at entrypoint
-}
+}*/
 
 rule _yodas_Crypter_13__Ashkbiz_Danehkar_
 {