Microsoft flags YaraX compiled binary as Trojan malware

[Benji377]

Intro

I have a public repo where I build YARA rules using a Python script, the binary is then uploaded to a release and later downloaded by our application. The application uses the binary to scan files.

Problem

The issue is, that once we download the binary from the release page, Microsoft Windows Defender immediately deletes it and reports it as a Trojan. Has anybody had the same issue?
Here is an extract of how the binary is built:

...
# Iterate through the rules folder and retrieve each yar file in the folder and subfolders
rules_folder = 'rules'
for root, dirs, files in os.walk(rules_folder):
    for file in files:
        if file.endswith('.yar'):
            # Get the content of the file as string
            with open(os.path.join(root, file), 'r') as rule_file:
                content = rule_file.readlines()
                # Add the rule to the compiler
                try:
                    compiler.add_source(''.join(content))
                    number_of_rules += 1
                except Exception as e:
                    error_rules.append(file)
                    print(f'Error compiling {file}: {e}')

# Compile the rules
rules = compiler.build()

# Save the compiled rules into a binary file
with open('rulepirus.yarac', 'wb') as write_file:
    rules.serialize_into(write_file)
...

Links

• Python builder.py script
• Yara binary release page
• Yara Rules source
• Application page
• VirusTotal scan report

[GamingGuy003]

Co Programmer of OP here. This has been happening for multiple yara-x versions including the latest one, so it does not seem to be version specific

[plusvic]

This may happen because compiled rules include a WebAssembly module in compiled form, and Microsoft Windows Defender may consider that suspicious. I'll investigate.

[plusvic]

However, I strongly suggest you to reconsider the distribution of YARA rules in binary form to your users. Using compiled YARA rules from third-parties is highly discouraged because it constitutes a security risk. Bear in mind that compiled YARA rules contain executable code, therefore they can be manipulated to execute malicious payloads.

Also, compiled YARA rules at this moment are guaranteed to run in the same platform that was used for compiling. You if you compile them in 64-bits Linux, you must use them in 64-bits Linux, they won't work on Windows or macOS. You will also encounter issues when compiling the rules with some version of YARA and trying o use it with some other version.

The bottom line is that compiled rules are a mechanism for avoiding the re-compilation of large sets of rules, but assuming that you are compiling the rules yourself and that you are not using it in cross-platform environment. They are not intended to be used as a mechanism for distributing closed-source YARA rules.

[GamingGuy003]

Thank you, this is quite useful information. I was unaware of the cross platform limitations. We will attempt to implement compilation on the client instead of pre compiling the rules in that case. This however still leaves the issue with storing the compiled rules, as we partially target low performance devices and compilation might be quite slow on those. If you find anything about why Defender tags the rules or how we could circumvent that we would be really grateful!

[plusvic]

After #202 I think that Microsoft Windows Defender should not flag the compiled rules anymore. It also solved the issue with compiled rules that are platform-specific. Still, distributing compiled rules is highly discourage unless you implement some signature mechanism that validates that compiled rules come from a trusted source without alteration.