A1RunGuard - Creating Detection Rules

A1RunGuard uses the Google YARA signatures language for creating antivirus definitions database.

Thank you Neo23x0 for his nice Raccine project!

Unfortunately, the Raccine project is inactive at the moment.

We took some ideas from Raccine:

  • Using Google YARA scanning engine.
  • Blocking the parent processes to prevent ransomware attacks.
Using YARA allowed us to easily create new anti-malware signatures and use them in the A1RunGuard.

A1RunGuard improvements in comparison with Raccine:

  1. YARA is integrated into the A1RunScanner.exe executable by compiling from sources.
    Raccine uses the external executable file "yara.exe."
  2. Added user interface for managing the anti-malware processes: pause, logging, notifications, and custom actions.
  3. Automatic consistent anti-malware definitions database updates using the A1RunGuard Service.
  4. Option to display a confirmation dialog when the alarm is fired.
  5. Extended the list of sources used in the YARA rules: process file name, command line, parent process, file binary contents, and process memory.
  6. The A1RunGuard definitions database allows for the combination of several YARA rules files in the logical expressions.
  7. Extended the number of the controlled processes.

How to create YARA rules for A1RunGuard?

Example of the YARA rules for vssadmin:

rule vssadmin
{
      strings:
        $p_delete = "delete" fullword nocase
        $p_sh1= "shadowstorage" fullword nocase
        $p_sh2= "shadows" fullword nocase
      condition:
    ( FileName == "vssadmin.exe" and $p_delete and 1 of ($p_sh*) )
}

List of the supported variables:

  1. FileName - process file name.
  2. FilePath - full process file path.
  3. CommandLine - process command line.
  4. ParentFile - full path to the parent process file.

Format of the anti-malware database file: a1runguardbase.dbi

[CheckList]
    powershell.exe=1

[powershell.exe]
    FileName=powershell.exe
    FilePath=
    Alias=POWERSHELL
    CheckLevel=2
    Link="powershell.yarc"(2) | "powershell2.yarc"(2)

CheckLevel options:

  • 0 - block process
  • 1 - check process file contents
  • 2 - check the command line
CheckLevel sets the default check level for all signatures used in the "Link" parameter.

CheckLevel may be combined:
3 = check file and command line

Parameter "Link" defines the signature file or expression

Format:

"filename"(CheckLevel) Condition "filename"(CheckLevel) Condition:

  1. Logical OR: |
  2. Logical AND: &
Using "CheckLevel" is optional.
It is required only if the CheckLevel of the signature file differs from the default CheckLevel of the process.

How A1Runguard protects against "Revil" Ransomware

Need Help?

  1. Read Docs.
  2. Knowledge Base.
  3. Frequently Asked Questions.
  4. Contact Support.
}