Wordfence Intelligence Documentation

Suggestions:
← Return to Wordfence Intelligence Documentation Index

Accessing and Using the Malware Detection Feed (Enterprise)

Wordfence Intelligence Malware Detection Feed

The Wordfence Intelligence Malware Detection Feed provides YARA rules that can be used to scan filesystems and other data sources for malware.

Retrieving the Malware Detection Feed

GET /api/intelligence/malware-detection

This endpoint accepts no additional parameters and always returns the complete Malware Detection Feed.

Using the Malware Detection Feed

The Malware Detection Feed is provided as plain-text (as opposed to platform-specific, precompiled) YARA rules. This file can be used directly with the YARA CLI to scan files for malware.

yara /path/to/malware_detection_feed.yara /some/path/to/scan

Many other tools can also directly consume YARA rules and custom implementations can also be created using either the yara-python library or directly using the libyara C API. The Wordfence Intelligence Malware Detection feed is compatible with any tools or libraries that support YARA.

YARA Versions

The Wordfence Intelligence Malware Detection Feed is tested using YARA 3.9.0 and is intended to be compatible with YARA versions 3.9.0 and later.

Tags

Rules in the Malware Detection Feed are tagged with with the category of malware they detect as well as the language or filetype associated with the malware. Note that these tags can be used for filtering purposes but do not perform any filtering by default.

The current category tags include:

  • Backdoor
  • Suspicious
  • Spam
  • Defacement
  • IOC
  • Phishing
  • Redirect
  • Mailer
  • Obfuscated
  • Exploit
  • Safe
  • Hacktool

The current filetype tags include:

  • PHP
  • TXT
  • ASP
  • PL
  • SH
  • VBS
  • JSON
  • HTML
  • JS
  • C
  • ZIP
  • ELF
  • DOS
  • APACHE
  • PY
  • EXE
  • BIN
  • PNG
  • HTACCESS

 

Filtering by Tags

It is possible to filter output by tag in the YARA CLI client using the -t or --tags= switch. For example to recursively scan the current directory and only print files that match a rule tagged with Backdoor, you can use the following command:

yara -r --tag=Backdoor malware_detection_feed.yara .

 

Further information and documentation

The full documentation for our targeted version of YARA can be found at https://yara.readthedocs.io/en/v3.9.0/. Further information on running YARA from the command line can be found at https://yara.readthedocs.io/en/v3.9.0/commandline.html.

Wordfence Intelligence Documentation