v1.1.0 adds support for archive analysis via yextend! Hundreds of different types of archives (.docx, .rar, .zip, etc) are now natively extracted and scanned with your YARA rules.

Change Summary

• Bundles yextend for YARA analysis of archives
• The YARA analyzer can now be configured to analyze any bucket
• The shred utility is used to destroy files in /tmp after downloading them from S3
• Adds YARA rules for CobaltStrike and the backdoored version of CCleaner
• Upgraded Dependencies
  • cbapi v1.3.2 => v1.3.4
  • terraform v0.10.X => v0.11.X
  • terraform/aws-provider 0.1.4 => 1.5.X
  • yara-python v3.6.3 => v3.7.0
• CLI Changes
  • Adds --version flag
  • Adds destroy command
  • Creates a new Lambda version for every function on every deploy
  • live_test now uploads an archive in addition a text file
• Documentation Updates
  • Provides a least-privilege IAM policy for deploying BinaryAlert
  • Explains how to install openssl development libraries prior to installing YARA
  • Adds a credits page

For the complete list of changes and issues closed, see the associated milestone.

Upgrading From v1.0.0

Upgrading is quite easy and can happen on top of your existing deploy:

1. git checkout v1.1.0
2. Install the new (upgraded) requirements in your virtualenv:

source venv/bin/activate
pip install -r requirements.txt

3. Upgrade terraform to v0.11+
4. Redeploy: ./manage.py deploy
5. Wait a few minutes for the changes to propagate, and then ./manage.py live_test

Note that the SNS alert no longer includes the YARA RuleTags in the MatchedRules section.