From 8ddab9bd5a7aee983bfd0fd9f54f44cc456b7479 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Wed, 22 Aug 2018 11:09:39 +0200
Subject: [PATCH] False Positive Reduction
 https://github.com/Neo23x0/signature-base/issues/42

---
 yara/gen_powershell_susp.yar | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/yara/gen_powershell_susp.yar b/yara/gen_powershell_susp.yar
index c09025da..02f22cbd 100644
--- a/yara/gen_powershell_susp.yar
+++ b/yara/gen_powershell_susp.yar
@@ -149,8 +149,11 @@ rule WScript_Shell_PowerShell_Combo {
       $p1 = "powershell.exe" fullword ascii
       $p2 = "-ExecutionPolicy Bypass" fullword ascii
       $p3 = "[System.Convert]::FromBase64String(" ascii
+
+      $fp1 = "Copyright: Microsoft Corp." ascii
    condition:
       filesize < 400KB and $s1 and 1 of ($p*)
+      and not 1 of ($fp*)
 }
 
 rule SUSP_PowerShell_String_K32_RemProcess {