chore(rules): 2026/04/15 FPR

rules/anti-static/obfuscation/padding.yara

@@ -14,6 +14,8 @@ rule msxml2_http: critical {
     $not_yui3     = "version: 2.6.0"
     $not_yui4     = "YAHOO.util.Connect={_msxml_progid:[\"Microsoft.XMLHTTP\",\"MSXML2.XMLHTTP.3.0\",\"MSXML2.XMLHTTP\"]"
     $not_yui5     = "if(typeof YAHOO==\"undefined\"||!YAHOO){var YAHOO={};}YAHOO.namespace=function()"
+    $not_dojo1    = "dojotoolkit.org"
+    $not_dojo2    = "dojo.xd.js"
 
   condition:
     filesize < 128KB and $a and !a > 32 and none of ($not*)

rules/evasion/mimicry/fake-process.yara

@@ -7,6 +7,7 @@ rule fake_kworker: critical linux {
     $kworker2 = "[kworker"
 
     $not_bpftrace_comment1 = " * 03:14:49 496    kworker/1:0H     md0"
+    $not_bpftrace_script   = "bpftrace" fullword
     $not_dockworker        = "dockworker/MS"
     $not_f2fs_h1           = "* fs/f2fs/f2fs.h"
     $not_f2fs_h2           = "#ifndef _LINUX_F2FS_H"

rules/exfil/stealer/wallet.yara

@@ -38,9 +38,12 @@ rule crypto_stealer_names: critical {
     $gpt_tokenizer3  = "const bpe = c0.concat();"
     $gpt_tokenizer4  = "const bpe = c0.concat(c1);"
     $gpt_tokenizer5  = "export default bpe;"
+    $bpe_tokenizer1  = "cl100k_base"
+    $bpe_tokenizer2  = "o200k_base"
+    $bpe_tokenizer3  = "p50k_base"
 
   condition:
-    filesize < 100MB and $http and 2 of ($w*) and none of ($not*) and none of ($gpt_tokenizer*)
+    filesize < 100MB and $http and 2 of ($w*) and none of ($not*) and none of ($gpt_tokenizer*) and none of ($bpe_tokenizer*)
 }
 
 rule crypto_extension_stealer: critical {

rules/false_positives/adminer.yara

@@ -0,0 +1,13 @@
+rule adminer_php: override {
+  meta:
+    description          = "adminer.php - legitimate database management tool"
+    webshell_adminer_4_7 = "harmless"
+
+  strings:
+    $adminer_header = "Adminer - Compact database management"
+    $adminer_org    = "https://www.adminer.org/"
+    $adminer_author = "Jakub Vrana"
+
+  condition:
+    filesize < 1MB and all of them
+}

rules/false_positives/crossplane.yara

@@ -0,0 +1,12 @@
+rule crossplane_aws_provider: override {
+  meta:
+    description              = "provider-aws-* crossplane-contrib/provider-upjet-aws Go binary"
+    RUSSIANPANDA_Mintsloader = "harmless"
+
+  strings:
+    $upjet_build = "crossplane-contrib/provider-upjet-aws/internal/version"
+    $upbound     = "github.com/upbound/provider-aws/v2"
+
+  condition:
+    filesize > 100MB and filesize < 1500MB and all of them
+}

rules/false_positives/datadog.yara

@@ -12,3 +12,21 @@ rule default_policy: override {
   condition:
     filesize < 256KB and all of them
 }
+
+rule datadog_agent_binary: override {
+  meta:
+    description               = "datadog-agent binary"
+    binary_url_with_question  = "medium"
+    iplookup_website          = "medium"
+    etc_ld_preload_not_ld     = "medium"
+    ipinfo_and_bash           = "medium"
+    linux_network_filter_exec = "medium"
+    go_memfd_create           = "medium"
+
+  strings:
+    $datadog_module = "github.com/DataDog/datadog-agent"
+    $datadoghq      = "datadoghq.com"
+
+  condition:
+    filesize < 500MB and all of them
+}

rules/false_positives/gemini_cli.yara

@@ -0,0 +1,17 @@
+rule gemini_cli_third_party: override {
+  meta:
+    description                 = "gemini-cli bundled third-party npm dependencies"
+    exotic_tld                  = "low"
+    iplookup_website            = "low"
+    browser_extension_installer = "low"
+    obfuscated_payload          = "low"
+    bash_persist                = "low"
+    bash_persist_persistent     = "low"
+
+  strings:
+    $gemini_module = "@google/gemini-cli"
+    $gemini_core   = "gemini-cli-core"
+
+  condition:
+    filesize < 100MB and all of them
+}

rules/false_positives/grub.yara

@@ -0,0 +1,11 @@
+rule grub_boot_images: override {
+  meta:
+    description     = "GRUB i386-pc boot images"
+    single_load_rwe = "medium"
+
+  strings:
+    $grub = "GRUB"
+
+  condition:
+    filesize < 64KB and $grub
+}

rules/false_positives/kuma.yara

@@ -0,0 +1,12 @@
+rule kuma_cp: override {
+  meta:
+    description  = "kuma-cp - Kuma service mesh control plane"
+    ESET_Kobalos = "harmless"
+
+  strings:
+    $kuma_module = "github.com/kumahq/kuma"
+    $kuma_io     = "kuma.io"
+
+  condition:
+    filesize < 250MB and all of them
+}

rules/false_positives/nltk.yara

@@ -0,0 +1,13 @@
+rule nltk_test_pathsec: override {
+  meta:
+    description                         = "nltk/test/unit/test_pathsec.py"
+    ELCEEF_Obfuscated_IP_Address_In_URL = "harmless"
+
+  strings:
+    $test_pathsec    = "test_pathsec"
+    $nltk_pathsec    = "nltk.pathsec"
+    $nltk_downloader = "nltk.downloader"
+
+  condition:
+    filesize < 64KB and all of them
+}

rules/false_positives/stress_ng.yara

@@ -0,0 +1,17 @@
+rule stress_ng: override {
+  meta:
+    description       = "/usr/bin/stress-ng"
+    dev_shm_file      = "medium"
+    bpfdoor_alike     = "medium"
+    kmem              = "medium"
+    multiple_gcc      = "harmless"
+    multiple_gcc_high = "medium"
+
+  strings:
+    $stress_version = "stress-ng-version"
+    $stress_dev_shm = "/dev/shm/stress-dev-shm-"
+    $stressor       = "stressor" fullword
+
+  condition:
+    filesize < 25MB and all of them
+}

rules/false_positives/tigera_operator.yara

@@ -0,0 +1,19 @@
+rule tigera_operator: override {
+  meta:
+    description                                                     = "tigera-operator (Calico networking) Go binary"
+    SIGNATURE_BASE_WEBSHELL_H4Ntu_Shell_Powered_Tsoi                = "harmless"
+    SIGNATURE_BASE_Ironshell_Php                                    = "harmless"
+    SIGNATURE_BASE_Lamashell_Php                                    = "harmless"
+    SIGNATURE_BASE_Safe0Ver_Shell__Safe_Mod_Bypass_By_Evilc0Der_Php = "harmless"
+    SIGNATURE_BASE_Ru24_Post_Sh_Php_Php                             = "harmless"
+    SIGNATURE_BASE_Simple_Cmd_Html                                  = "harmless"
+    SIGNATURE_BASE_Webshell_Ru24_Post_Sh                            = "harmless"
+    SIGNATURE_BASE_Webshell_Simple_Cmd                              = "harmless"
+
+  strings:
+    $tigera_module = "github.com/tigera/operator"
+    $calico_api    = "github.com/tigera/api/pkg/apis/projectcalico"
+
+  condition:
+    filesize < 250MB and all of them
+}

rules/false_positives/torch_C.yara

@@ -0,0 +1,12 @@
+rule torch_C_cpython: override {
+  meta:
+    description      = "torch/_C.cpython-*-linux-gnu.so"
+    upx_elf_tampered = "medium"
+
+  strings:
+    $pytorch = "PyTorch"
+    $torch_c = "torch._C"
+
+  condition:
+    filesize < 500MB and all of them
+}

rules/false_positives/wazuh.yara

@@ -0,0 +1,14 @@
+rule wazuh_policy_monitoring: override {
+  meta:
+    description              = "wazuh-dashboard policy-monitoring.js sample data"
+    hidden_short_path_system = "low"
+    hidden_short_path_temp   = "low"
+    rootkit                  = "low"
+
+  strings:
+    $wazuh_dashboard   = "wazuh-dashboard"
+    $policy_monitoring = "policy-monitoring"
+
+  condition:
+    filesize < 5MB and all of them
+}

third_party/yara/elastic/MacOS_Trojan_XScreen.yar

@@ -13,11 +13,11 @@ rule MacOS_Trojan_XScreen_7837ad6c {
         license = "Elastic License v2"
         os = "macos"
     strings:
-        $a1 = "/Users/Shared/._cfg" ascii fullword
-        $a2 = "base64EncodedStringWithOptions:" ascii fullword
-        $a3 = "/private/tmp/google_cache.db" ascii fullword
-        $a4 = "[hyphen]" ascii fullword
-        $a5 = "generalPasteboard" ascii fullword
+        $a1 = { 2F 55 73 65 72 73 2F 53 68 61 72 65 64 2F 2E 5F 63 66 67 }
+        $a2 = { 62 61 73 65 36 34 45 6E 63 6F 64 65 64 53 74 72 69 6E 67 57 69 74 68 4F 70 74 69 6F 6E 73 3A }
+        $a3 = { 2F 70 72 69 76 61 74 65 2F 74 6D 70 2F 67 6F 6F 67 6C 65 5F 63 61 63 68 65 2E 64 62 }
+        $a4 = { 5B 68 79 70 68 65 6E 5D }
+        $a5 = { 67 65 6E 65 72 61 6C 50 61 73 74 65 62 6F 61 72 64 }
     condition:
         all of them
 }