ZLoader rule produces false positives
TETYYS opened this issue · comments
It is usual for program to have strings /post.php and Connection: close in it, so ZLoader rule which requires only 2 of strings in its list to match, matches regular programs
Yara-rules/rules/crimeware/ZLoader.yar
Line 36 in 4f32972
Hi tetyys - thank you - good point! Will tighten the rule.