Defining Custom Behavioral Rules

Custom Behavioral Rules is a set of YARA rules. YARA is a rule-based tool to identify and classify malware. Advanced Threat Defense enables you to use your own YARA rules to identify and classify malware. You can therefore import your own descriptions of malware into Advanced Threat Defense.

Custom Behavioral Rules also enable you to customize the detection capabilities of Advanced Threat Defense to suit your needs. For example, you can use Custom Behavioral Rules if you would like certain registry operations to be reported as a particular severity level rather than the default severity level assigned by Advanced Threat Defense. You can also write Custom Behavioral Rules to catch zero‐day or near-zero-day malware. You can write your own Custom Behavioral Rules or use the YARA rules from a third party.

Note: In this section, the word sample refers to both files and URLs that have been submitted to Advanced Threat Defense for malware analysis.

You can store your Custom Behavioral Rules in a text file. You can name this file such that it enables you track modifications to your Custom Behavioral Rules set. You import this text file into Advanced Threat Defense through the web interface.

Assuming you have enabled all analyze options with custom YARA rules, Advanced Threat Defense processes the sample files and URLs in the following order of priority:

  1. Global Whitelist
  2. Local blacklist
  3. McAfee GTI
  4. McAfee Gateway Anti-Malware Engine
  5. McAfee Anti-Malware Engine
  6. Custom Yara Scanner
  7. Dynamic Analysis
  8. Custom Behavioral Rules — User-managed YARA rules.
  9. Internal YARA rules — Internal YARA rules that are defined by McAfee and updated during Advanced Threat Defense software upgrades. You cannot view or download these rules.
Note: Advanced Threat Defense checks a sample against YARA rules only if the sample is dynamically analyzed.

After you import your Custom Behavioral Rules into Advanced Threat Defense, the malware detection and classification are based on these rules as well. Final severity result of sample analysis is determined as a maximum value from analysis methods mentioned above, including custom YARA rules.

Considerations

  • Advanced Threat Defense supports custom YARA rules only from Advanced Threat Defense release 3.2.0.
  • Advanced Threat Defense 3.2.0 supports YARA version 1.0 only. So, all YARA features documented in YARA User's Manual for version 1.0 are supported.
  • Advanced Threat Defense 3.4.8 supports YARA version 3.0.
  • Advanced Threat Defense 3.6.0 supports YARA version 3.1.
  • In an Advanced Threat Defense cluster setup, each node maintains its set of Custom Behavioral Rules separately. That is, the custom YARA rules that you define in the primary node are not sent to the secondary nodes automatically.
  • There is no limit on the number of rules that you can include in your Custom Behavioral Rules file. Neither is there a limit on the size of this file. However, the number of rules and their complexity might affect the performance of Advanced Threat Defense.