False Positive Reduction #42

Neo23x0 · Aug 22, 2018 · 8ddab9b · 8ddab9b
1 parent 5d4ed22
commit 8ddab9b
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/yara/gen_powershell_susp.yar b/yara/gen_powershell_susp.yar
@@ -149,8 +149,11 @@ rule WScript_Shell_PowerShell_Combo {
       $p1 = "powershell.exe" fullword ascii
       $p2 = "-ExecutionPolicy Bypass" fullword ascii
       $p3 = "[System.Convert]::FromBase64String(" ascii
+
+      $fp1 = "Copyright: Microsoft Corp." ascii
    condition:
       filesize < 400KB and $s1 and 1 of ($p*)
+      and not 1 of ($fp*)
 }
 
 rule SUSP_PowerShell_String_K32_RemProcess {