A1RunGuard uses thesignatures language for creating antivirus definitions database.
Thank you Neo23x0 for his niceproject!
Unfortunately, the Raccine project is inactive at the moment.
We took some ideas from Raccine:
Example of the YARA rules for vssadmin:
$p_delete = "delete" fullword nocase
$p_sh1= "shadowstorage" fullword nocase
$p_sh2= "shadows" fullword nocase
( FileName == "vssadmin.exe" and $p_delete and 1 of ($p_sh*) )
Link="powershell.yarc"(2) | "powershell2.yarc"(2)
CheckLevel may be combined:
3 = check file and command line
"filename"(CheckLevel) Condition "filename"(CheckLevel)