Problem
While experimenting with capa rule logic, I noticed that some rule constructs are currently accepted during rule loading even though they are not safe for the optimized matcher/indexer.
In particular, certain logical edge cases can lead to ambiguous or incorrect evaluation behavior.
Examples include:
- top-level
not statements
- nested
not constructs (e.g. not: not: ...)
- top-level
count(...): 0 statements
These patterns may conflict with assumptions made by the optimized rule matcher and rule indexer.
Example
For example, a rule containing something like:
not:
api: CreateFileA
Or
not:
not:
api: CreateFileA
Similarly, constructs like:
count(api(CreateFileA)): 0
may introduce ambiguity or unexpected behavior during rule evaluation.
Expected Behavior
Rules containing unsupported logic constructs should be rejected during rule loading with a clear validation error.
This would:
• prevent subtle evaluation bugs
• ensure rules remain compatible with the optimized matcher/indexer
• provide clearer feedback to rule authors when invalid constructs are used.
Related Work #2913 
Problem
While experimenting with capa rule logic, I noticed that some rule constructs are currently accepted during rule loading even though they are not safe for the optimized matcher/indexer.
In particular, certain logical edge cases can lead to ambiguous or incorrect evaluation behavior.
Examples include:
notstatementsnotconstructs (e.g.not: not: ...)count(...): 0statementsThese patterns may conflict with assumptions made by the optimized rule matcher and rule indexer.
Example
For example, a rule containing something like: