False negatives

The false negatives check makes sure that all hashes mentioned in the metadata section of YARA rules correspond to files that actually match the rule. By default YARA-CI extracts SHA-256, SHA-1 and MD5 hashes from metadata fields named hash*, sha256*, sha1* or md5*. For example, all the hashes in the following metadata definitions will be correctly extracted:

  meta:
    hash1 = "bedfa845b7077532d47b7a9a5f49c744c70a9b8706a90ac97471d1c7799aa86d"
    hash2 = "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
    hashes = "242ba63a35e9647ca61c98081540460b,a552bd9a6dbc1493c432a2ad37afd91c"
    sha256 = "381e0e12e67a5c026529129a264844e7f1029114365ef3be465b72a3bec572c9"
    sha1_1 = "5d3f557ad0a0fa661cb5ce04e59b9ad5b917494f"
    sha1_2 = "99fea9eb3f1aac5a61161b8cde1b2653f4aa7afc
    md5s = "[c3b78fa2765328098ceca4ee6563da41,9b113c9e2851a07b0fdff34eb943aa4d]"

The default behavior can be changed by explicitly telling YARA-CI which patterns should be used for deciding the metadata fields from where hashes will be extracted. If you include the following snippet in your .yara-ci.yml file you YARA-CI will extract hashes only from metadata fields with names starting with hash, fields with names like sha256, sha1 or md5 will be ignored.

false_negatives:
  meta_names:
  - hash*

If the metadata field where you put your hashes are always like sha256_1, sha256_2, sha256_3 … sha256_n, or sha1_1, sha1_2, sha1_3 … sha1_n, you can use the following configuration:

false_negatives:
  meta_names:
  - sha256_*
  - sha1_*

The default configuration is:

false_negatives:
  meta_names:
  - hash*
  - sha1*
  - sha256*
  - md5*

The false negatives test can be entirely disabled by setting its disabled property to true:

false_negatives:
  disabled: true