New feature: check for false negatives

As we promised when we launched YARA-CI last month, we keep working o new features and improvements. Today we are glad to introduce a new feature: a check for false negatives.

A false negative is when a YARA rule is expected to match a file but it doesn’t. Many people has the habit (a good one by the way) of including one or more file hashes in the metadata section of the rule, indicating some of the files that the rule should match. Now YARA-CI verifies that the files mentioned in the rule’s metadata actually trigger the rule.

Of course, this is possible only for rules that include some file hash in its metadata section and for files that are already present in VirusTotal. If the rules don’t include any hashes, or they are not in VirusTotal, the check will still succeed. However, if a rule mentions some hash and it happens to be in VirusTotal, the check will fail if the rule doesn’t match the file.

More information here.