Certified Ethical Hacker (CEH v12) — Question 134

Your company has been receiving regular alerts from its IDS about potential intrusions. On further investigation, you notice that these alerts have been false positives triggered by certain goodware files. In response, you are planning to enhance the IDS with YARA rules, reducing these false positives while improving the detection of real threats. Based on the scenario and the principles of YARA and IDS, which of the following strategies would best serve your purpose?

Answer options

• A. Writing YARA rules specifically to identify the goodware files triggering false positives
• B. Implementing YARA rules that focus solely on known malware signatures
• C. Creating YARA rules to examine only the private database for intrusions
• D. Incorporating YARA rules to detect patterns in all files regardless of their nature

Correct answer: A

Explanation

The correct answer is A because writing YARA rules to identify the goodware files that are causing false positives directly addresses the issue at hand, allowing the IDS to differentiate between legitimate files and actual threats. Options B, C, and D do not specifically target the false positives, making them less effective in solving the problem described in the scenario.