Sneed-Reactivity/yara-mikesxrs/AirBnB/eicar.yar

rule eicar_av_test {
    /*
       Per standard, match only if entire file is EICAR string plus optional trailing whitespace.
       The raw EICAR string to be matched is:
       X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    */

    meta:
        description = "This is a standard AV test, intended to verify that BinaryAlert is working correctly."
        author = "Austin Byers | Airbnb CSIRT"
        reference = "http://www.eicar.org/86-0-Intended-use.html"

    strings:
        $eicar_regex = /^X5O!P%@AP\[4\\PZX54\(P\^\)7CC\)7\}\$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!\$H\+H\*\s*$/

    condition:
        $eicar_regex
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`rule eicar_av_test {`
			`/*`
			`Per standard, match only if entire file is EICAR string plus optional trailing whitespace.`
			`The raw EICAR string to be matched is:`
			`X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*`
			`*/`

			`meta:`
			`description = "This is a standard AV test, intended to verify that BinaryAlert is working correctly."`
			`author = "Austin Byers \| Airbnb CSIRT"`
			`reference = "http://www.eicar.org/86-0-Intended-use.html"`

			`strings:`
			`$eicar_regex = /^X5O!P%@AP\[4\\PZX54\(P\^\)7CC\)7\}\$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!\$H\+H\\s$/`

			`condition:`
			`$eicar_regex`
			`}`