10. Configuring YARA Rules

YARA scan will create false positives; the system identifies the file signer for each alert. THOR/YARA classification rules have a built-in global rule for whitelisting based on signer information. Clone the rule and add new trusted signers to minimize the false positives. To access classification management rules, please go to the "Rules & Policies" -> "SIGMA/YARA Rules" -> "Windows YARA Rules".