Clean up remaining false positives for new packages (#1039)

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

Author: egibs

rules/evasion/mimicry/fake-process.yara

@@ -6,6 +6,7 @@ rule fake_kworker: critical linux {
     $kworker1 = /\[{0,1}kworker\/[\w\%:\-\]]{1,16}/
     $kworker2 = "[kworker"
 
+    $not_dockworker      = "dockworker/MS"
     $not_rescue          = "kworker/R-%s"
     $not_psutil_comment1 = "root           4   0.0    0.0B    0.0B   -20   idle  Mar27  00:00  kworker/0:0H"
     $not_psutil_comment2 = "root       20414   0.0    0.0B    0.0B         idle  Apr04  00:00  kworker/4:2"

rules/exec/remote_commands/code_eval.yara

@@ -231,8 +231,10 @@ rule php_at_eval: critical {
     filetypes   = "php"
 
   strings:
-    $at_eval   = /@\beval\s{0,32}\(\s{0,32}(\$\w{0,32}|\.\s{0,32}"[^"]{0,32}"|\.\s{0,32}'[^']{0,32}'|\w+\(\s{0,32}\))/
-    $not_empty = "eval()"
+    $at_eval      = /@\beval\s{0,32}\(\s{0,32}(\$\w{0,32}|\.\s{0,32}"[^"]{0,32}"|\.\s{0,32}'[^']{0,32}'|\w+\(\s{0,32}\))/
+    $not_empty    = "eval()"
+    $not_phpunit1 = "This file is part of PHPUnit."
+    $not_phpunit2 = "(c) Sebastian Bergmann <sebastian@phpunit.de>"
 
   condition:
     $at_eval and none of ($not*)

rules/impact/cryptojacking/competitive.yara

@@ -4,13 +4,13 @@ rule killer_miner_panchansminingisland: critical {
     filetypes   = "elf"
 
   strings:
-    $ = "killer"
-    $ = "miner"
-    $ = "p2p"
-    $ = "protector"
-    $ = "rootkit"
-    $ = "spreader"
-    $ = "updater"
+    $ = "killer" fullword
+    $ = "miner" fullword
+    $ = "p2p" fullword
+    $ = "protector" fullword
+    $ = "rootkit" fullword
+    $ = "spreader" fullword
+    $ = "updater" fullword
 
     $not_pypi_index = "testpack-id-lb001"