The most important reasons for the difference are:
- Analysts often have more context: making rules only after looking at the dynamic behaviour of a sample, the wider context of droppers and C2 infrastructure used by a malware family, etc.
- Sometimes analysts restrict themselves to mostly text snippets, shell commands, function import names, with one or two binary snippets. In contrast, VTDiff gives equal opportunities to Binary, Ascii, WideAscii and even Domain snippets.
VTDiff is able to speed up the creation of rules, but you are, as an security analyst, still in control and can supplement the tool results with extra rules tailored to your specific investigation.