From 0c2895024cc8929a43d0211e53967085308b3f78 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D4=9C=D0=B5=D1=95?=
 <5124946+wesinator@users.noreply.github.com>
Date: Wed, 24 Oct 2018 09:20:02 -0400
Subject: [PATCH 1/2] Remove bad Armadillov171 PEiD signature rule

This rule has false positives on PEs compiled with MSVC
https://github.com/Yara-Rules/rules/issues/39
---
 tools/yara/packer.yara | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/tools/yara/packer.yara b/tools/yara/packer.yara
index 024e1a5..7391b53 100755
--- a/tools/yara/packer.yara
+++ b/tools/yara/packer.yara
@@ -10210,16 +10210,6 @@ condition:
 }
 	
 	
-rule Armadillov171
-{
-strings:
-		$a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 }
-
-condition:
-		$a0 at entrypoint
-}
-	
-	
 rule KBySV022shoooo
 {
 strings:

From 52119fc897a1379f2197701e072f03540fee98de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D4=9C=D0=B5=D1=95?=
 <5124946+wesinator@users.noreply.github.com>
Date: Mon, 20 May 2019 22:35:15 -0400
Subject: [PATCH 2/2] Disable PEiD Armadillo packer false positive

"Armadillo v1.xx - v2.xx" is a false positive

https://www.zscaler.com/blogs/research/your-windows-8-packed
---
 tools/yara/packer.yara | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tools/yara/packer.yara b/tools/yara/packer.yara
index 7391b53..653a1dd 100755
--- a/tools/yara/packer.yara
+++ b/tools/yara/packer.yara
@@ -14507,6 +14507,7 @@ condition:
 }
 	
 	
+/* false positive - https://www.zscaler.com/blogs/research/your-windows-8-packed
 rule Armadillov1xxv2xx
 {
 strings:
@@ -14514,7 +14515,7 @@ strings:
 
 condition:
 		$a0 at entrypoint
-}
+}*/
 	
 	
 rule HACKSTOPv111c