A1RunGuard uses the Google YARA signatures language for creating antivirus definitions database.
Thank you Neo23x0 for his nice Raccine project!
Unfortunately, the Raccine project is inactive at the moment.
We took some ideas from Raccine:
Example of the YARA rules for vssadmin:
$p_delete = "delete" fullword nocase
$p_sh1= "shadowstorage" fullword nocase
$p_sh2= "shadows" fullword nocase
( FileName == "vssadmin.exe" and $p_delete and 1 of ($p_sh*) )
Link="powershell.yarc"(2) | "powershell2.yarc"(2)
CheckLevel may be combined:
3 = check file and command line
"filename"(CheckLevel) Condition "filename"(CheckLevel)