Wordfence Intelligence Documentation

Suggestions:
← Return to Wordfence Intelligence Documentation Index

V2: Accessing and Using the Malware Signature Feed (Enterprise)

Wordfence Intelligence Malware Signature Feed

The Wordfence Intelligence Malware Signature Feed provides YARA rules that can be used to scan filesystems and other data sources for malware.

Retrieving the Malware Signature Feed

GET /api/intelligence/v2/malware/signatures

This endpoint accepts no additional parameters and always returns the complete Malware Signature Feed.

Using the Malware Signature Feed

The Malware Signature Feed is provided as plain-text (as opposed to platform-specific, precompiled) YARA rules. This file can be used directly with the YARA CLI to scan files for malware.

yara /path/to/malware_signature_feed.yara /some/path/to/scan

Many other tools can also directly consume YARA rules and custom implementations can also be created using either the yara-python library or directly using the libyara C API. The Wordfence Intelligence Malware Signature feed is compatible with any tools or libraries that support YARA.

YARA Versions

The Wordfence Intelligence Malware Signature Feed is tested using YARA 3.9.0 and is intended to be compatible with YARA versions 3.9.0 and later.

Tags

Rules in the Malware Signature Feed are tagged with with the category of malware they detect as well as the language or filetype associated with the malware. Note that these tags can be used for filtering purposes but do not perform any filtering by default.

The current category tags include:

  • Backdoor
  • Suspicious
  • Spam
  • Defacement
  • IOC
  • Phishing
  • Redirect
  • Mailer
  • Obfuscated
  • Exploit
  • Safe
  • Hacktool

The current filetype tags include:

  • PHP
  • TXT
  • ASP
  • PL
  • SH
  • VBS
  • JSON
  • HTML
  • JS
  • C
  • ZIP
  • ELF
  • DOS
  • APACHE
  • PY
  • EXE
  • BIN
  • PNG
  • HTACCESS
Filtering by Tags

It is possible to filter output by tag in the YARA CLI client using the -t or --tags= switch. For example to recursively scan the current directory and only print files that match a rule tagged with Backdoor, you can use the following command:

yara -r --tag=Backdoor malware_signature_feed.yara .

Further information and documentation

The full documentation for our targeted version of YARA can be found at https://yara.readthedocs.io/en/v3.9.0/. Further information on running YARA from the command line can be found at https://yara.readthedocs.io/en/v3.9.0/commandline.html.

Wordfence Intelligence Documentation