tag files with malicious probability

[shaddai]

When pmf shows multiple files in its output, it can be hard for a human to sort files and find real malwares.
Yara can tag files, we should use this functionality to help in detecting real webshells/web malwares.

[jvoisin]

Currently, there is this hackish function:

needle_in_haystack() {                                                           
                                                                                 
  needle=$(mktemp)                                                               
  egrep '(PasswordProtection|Websites|TooShort|NonPrintableChars)' $1 > $needle  
  if [ ! "$(wc -l $needle | awk '{print $1}')" = "0" ]; then                     
      echo "================================================="                   
      echo "You should take a look at the files listed below:"                   
      cat $needle                                                                
  fi;                                                                            
  rm $needle                                                                     
}

In my opinion, we should use yara tags to mark false-positive-free rules, and provide a --critical-only option instead.