Carbon Black App Control includes several pre-configured YARA rules, which are enabled by default. You can view these rules on the YARA Rules page, for example, to help you identify information about the purpose of a tag you see assigned to a file so that you know how to use that tag.
Important: All pre-configured YARA rules are enabled by default and cannot be modified.
To get familiar with YARA rule parameters, see YARA Rule Parameters.
For a list of the YARA tags that have predefined meanings, see YARA Rule Tags.
To get familiar with YARA CBEP attributes, see YARA CBEP Attributes.
| Attribute | Description |
|---|---|
| Status | Enabled |
| Read Only | Yes |
| Date Modified | Date when the rule was last updated by the server. |
| Last Modified By | User name of the user who last updated the rule. |
| Date Created | Date when the rule was first added to the server. |
| Created By | User name of the user who created the rule. |
| YARA Rule Name | Namespace | Description | Qualifiers |
|---|---|---|---|
| 16-bit COM Executables | IsInteresting | Identifies 16-bit executables | |
| 7zip Archives | IsInteresting | Identifies 7zip files as crawlable archives | <OnlyIf:DBQueryNonZero:select count(*) from crawlpath where crawlpath_enabled = 1> |
| Bzip Archives | IsInteresting | Identifies bzip and bzip2 files as crawlable archives | <OnlyIf:DBQueryNonZero:select count(*) from crawlpath where crawlpath_enabled = 1> |
| Chrome Extension Interpreter | Classification | Identifies interpreters for Chrome extensions | |
| Cmd Script Interpreter | Classification | Identifies Interpreters for cmd/bat scripts | |
| EICAR | IsInteresting | Identifies EICAR signature | |
| Embedded Archives | IsInteresting | Identifies executables with embedded archives as installers | |
| Embedded Executables | IsInteresting | Identifies executables that contain other executables as install | |
| FileHeader | IsInteresting | File header for the IsInteresting rule set. Includes any import. | |
| FileHeader | Classification | File header for the Classification rule set. Includes any import. | |
| Gzip Archives | IsInteresting | Identifies gzip files as crawlable archives | <OnlyIf:DBQueryNonZero:select count(*) from crawlpath where crawlpath_enabled = 1> |
| Inno Setup Installers | IsInteresting | Identifies InnoSetup executable installers | |
| Install Shield Installers | IsInteresting | Identifies Install Shield executable installers | |
| Install4J Installers | IsInteresting | Identifies installers built using install4J | |
| InstallShield Archives | IsInteresting | Identifies install shield files as crawlable archives | <OnlyIf:DBQueryNonZero:select count(*) from crawlpath where crawlpath_enabled = 1> |
| ISO Archives | IsInteresting | Identifies ISO files as crawlable archives | <OnlyIf:DBQueryNonZero:select count(*) from crawlpath where crawlpath_enabled = 1> |
| Jar Archives | IsInteresting | Identifies jar files as crawlable archives | <OnlyIf:DBQueryNonZero:select count(*) from crawlpath where crawlpath_enabled = 1> |
| Java Script Interpreter | Classification | Identifies Interpreters for Java scripts | |
| Microsoft Cabinet Files | IsInteresting | Identifies Microsoft Cabinet files as a crawlable archive | <OnlyIf:DBQueryNonZero:select count(*) from crawlpath where crawlpath_enabled = 1> |
| Microsoft HTML Application Interpreter | Classification | Identifies Interpreters for HTML applications | |
| Mozilla Extension Interpreter | Classification | Identifies interpreters for Mozilla extensions (Firefox browser) | |
| Msiexec detector | Classification | Identifies msiexec | |
| NetOp System File Installers | IsInteresting | Identifies NetOp System File installers | |
| Nullsoft Installers | IsInteresting | Identifies Nullsoft self-extracting installers | |
| Perl Script Interpreter | Classification | Identifies Interpreters for perl scripts | |
| Portable Executable | IsInteresting | Identifies win32 portable executables and dlls | |
| Powershell Script Interpreter | Classification | Identifies Interpreters for powershell scripts | |
| PowerShell Scripts | Classification | Classifies powershell scripts that can execute memory | |
| Python DistUtils Installers | IsInteresting | Identifies installers built using pythons distutil library | |
| Python Script Interpreter | Classification | Identifies Interpreters for python scripts | <OnlyIf:Bit9Version:Atleast:8.0.0.2454> |
| Rar Archives | IsInteresting | Identifies rar files as crawlable archives | <OnlyIf:DBQueryNonZero:select count(*) from crawlpath where crawlpath_enabled = 1> |
| Reg Script Interpreter | Classification | Identifies Interpreters for reg scripts | |
| Resource Installers | IsInteresting | Identifies installers based on strings in the resources | |
| Ruby Script Interpreter | Classification | Identifies interpreters for Ruby scripts | |
| Self-extracting Executables | IsInteresting | Identifies self-extracting executables as installers | |
| Systems Management Server Installers | IsInteresting | Identifies Microsoft SMS installers | |
| Tar Archives | IsInteresting | Identifies tar files as crawlable archives | <OnlyIf:DBQueryNonZero:select count(*) from crawlpath where crawlpath_enabled = 1> |
| TCL Kit Installers | IsInteresting | Identifies installers built using TCL Kit | |
| UPX Packing detector | Classification | Identifies UPX packed exes | |
| VB Script Interpreter | Classification | Identifies Interpreters for vb scripts | |
| WIM Archives | IsInteresting | Identifies wim files as crawlable archives | <OnlyIf:DBQueryNonZero:select count(*) from crawlpath where crawlpath_enabled = 1> |
| Windows Installers | IsInteresting | Identifies windows installers (MSI and MSP) | |
| Wise Installers | IsInteresting | Identifies wise installers | |
| Zip Archives | IsInteresting | Identifies zip files as crawlable archives | <OnlyIf:DBQueryNonZero:select count(*) from crawlpath where crawlpath_enabled = 1> |
