Certified Ethical Hacker (CEH v13) — Question 271

Your company has been receiving regular alerts from its IDS about potential intrusions. On further investigation, you notice that these alerts have been false positives triggered by certain goodware files. In response, you are planning to enhance the IDS with YARA rules, reducing these false positives while improving the detection of real threats. Based on the scenario and the principles of YARA and IDS, which of the following strategies would best serve your purpose?

Answer options

• A. Writing YARA rules specifically to identify the goodware files triggering false positives
• B. Implementing YARA rules that focus solely on known malware signatures
• C. Creating YARA rules to examine only the private database for intrusions
• D. Incorporating YARA rules to detect patterns in all files regardless of their nature

Correct answer: A

Explanation

The correct answer is A because writing YARA rules to identify the legitimate files causing false positives directly addresses the problem at hand. Options B and C do not resolve the issue of false positives triggered by goodware, and option D could lead to more noise without effectively filtering out the legitimate alerts.